You'll create a Meme Game application in PingOne that has access to the Meme Game API. First, add a scope to the Meme Game API service. Then, add a single-page application that represents the browser-based game. Last, grant permission for the Meme Game application to access the Meme Game API service.

  1. Add a scope to the Meme Game API service:
    1. In the Meme Game API service in PingOne, click the Advanced tab.
      Tip:

      If you need to find the Meme Game API service in PingOne, go to Authorize > API Services.

      Screen capture of the API Services Advanced tab in PingOne.
    2. Click Configure Scopes, and then click + Add Scope.
    3. Click the Name field and enter the following scope:

      meme-game

      Screen capture of the scope Name field in the Configure Scopes window.
    4. Click Save.

    Now you’re ready to add the Meme Game application in PingOne.

    Note:

    You don’t have to add a resource for the Meme Game like you did for the banking application. When you add a managed API service in PingOne, the resource is created automatically.

  2. Add a single-page application for the Meme Game:
    1. Go to Connections > Applications and click the + icon to add an application.
    2. For the Application Name, enter Meme Game as a unique identifier for the application, and then enter a meaningful Description.
    3. For the Application Type, click Single-Page.
      Screen capture of the Name and Description fields and the Application Type options for a new application in PingOne.
    4. Click Save.
  3. To enable the application, click the Enable toggle.
  4. Configure the Meme Game application to act as an API client without any notion of users.

    Later, this makes testing easier because you won't have to configure users.

    1. On the Configuration tab, click the Pencil icon.
    2. Under Grant Type, select the Client Credentials check box, and then under Token Endpoint Authentication Method, click the Client Secret Basic option.
    3. For Redirect URIs, enter the following redirect:

      https://oauth.pstmn.io/v1/callback

      This enables you to sign on as a user from Postman in a later tutorial.

    4. Click Save.
  5. Grant an OAuth scope to your application.

    This allows your application to access Meme Game APIs.

    1. Click the Resources tab, and then click the Pencil icon.
    2. Select the meme-game check box.
      Screen capture of Edit Resources showing the available scopes for the Meme Game application.
    3. Click Save.

      Next, you’ll populate variables in Postman for your new application.

  6. Set up Postman and send requests:
    1. On the Configuration tab of the Meme Game application, expand the General section, copy the following values into corresponding current values on the Variables tab in Postman:
      • Client ID: The Postman variable is gameClientId.
      • Client Secret: The Postman variable is gameClientSecret.
    2. In Postman, click Save to save the current values you assigned.

      You’re ready to send a request to get an access token.

    3. In Postman, select the Get Token as Game Client request and click Send.
      Screen capture of the Get Token as Game Client request in Postman.

      The access token is in the response and it has the meme-game scope.

      Screen capture of the access token response body in Postman.

      Postman, acting as the Meme Game application, has an access token for the Meme Game API. Try a Postman request to see if the Meme Game application can get memes.

    4. In Postman, select the Get all memes by user.0 request and click Send.

      You get a 200 OK response with data in the response body. You’ve configured access control for two applications: one that can access the Meme Game API and one that can’t.

      Check the banking application again to make sure it can’t access the Meme Game API now. First, get an access token for the banking application. Then, retry the request to get memes.

    5. Select the Get Token as Bank App request and click Send.

      Your access token has the banking scope.

    6. Select the Get all memes by user.0 request and click Send.

      You get a 401 Unauthorized response.

      Not getting the right results? See Viewing API Access Management events in your PingOne environment audit log.

Congratulations! By configuring a plugin that connects Kong Gateway to PingOne, you’ve centralized the management of API access control in PingOne. Now you don’t have to deal with the intricacies of OAuth or the risks of a distributed configuration for permissions and access control.

In this tutorial, you connected PingOne to Kong Gateway and configured applications and a managed API service in PingOne. By controlling which applications are authorized to connect to the managed API service, you demonstrated that only authorized clients are able to access managed APIs.

Learn more about additional API Access Management capabilities of PingOne Authorize in the tutorial for user-based access control for specific API operations.