Some plugins, typically selectors, do not need to interact with the user to do their job. Making these plugins API-capable is straight-forward.
You still implement the AuthnApiPlugin
interface, but you can just return null
from the getApiSpec()
method. And then you override the default
implementation of getApiPluginDescriptor()
and return an
AuthnApiPluginDescriptor
instance with the
interactive
flag set to false
. As with many other
classes in the SDK, there is an AuthnApiPluginDescriptor.Builder
class
to help in creating the descriptor.
When interactive
is false
, PingFederate knows that it never
needs to redirect when it encounters your selector. If the request is occurring on the
API endpoint, PingFederate can immediately call selectContext()
. The
same is true if the request is occurring on a front-channel endpoint, such as
/as/authorization.oauth2.
If your selector does not implement AuthnApiPlugin
, then PingFederate assumes
that only a front-channel endpoint can call your selector. If PingFederate encounters
your selector while executing an API request, PingFederate will send a
RESUME
response to the API client so that the user is redirected to
PingFederate.