Configuring a redirect for a device custom verification URI - PingOne

Configuring a redirect for a device custom verification URI - PingOne - PingOne Cloud Platform

PingOne Cloud Platform

bundle

pingone

ft:publication_title

PingOne Cloud Platform

Product_Version_ce

PingOne

PingOne Cloud Platform

category

Administratorguide

ContentType

Guide

Product

Productdocumentation

p1cloudplatform

ContentType_ce

Guide

Product documentation

Guide > Administrator Guide

If the Device Custom Verification URI setting is configured for a device authorization application, the administrator must configure a redirect to which PingOne forwards the OIDC response after authentication.

The format of the redirect depends on a combination of two factors:

Is a custom domain configured for the environment?
Is the Device Path ID configured for the application?

Configure your redirects based on the information in the following table:

Redirect formats for device custom verification URI
Custom domain configured for the environment?	Device Path ID configured?	Valid formats for redirects
Yes	Yes	https://`<customDomain>`/device/`<clientId>`?user_code=`<userCode>` https://`<customDomain>`/device/`<clientId>` https://`<customDomain>`/device/`<devicePathId>`?user_code=`<userCode>` https://`<customDomain>`/device/`<devicePathId>` https://`<customDomain>`/device?user_code=`<userCode>` https://`<customDomain>`/device
Yes	No	https://`<customDomain>`/device/`<clientId>`?user_code=`<userCode>` https://`<customDomain>`/device/`<clientId>` https://`<customDomain>`/device?user_code=`<userCode>` https://`<customDomain>`/device
No	Yes	https://auth.pingone.`<region>`/device/`<clientId>`?user_code=`<userCode>` https://auth.pingone.`<region>`/device/`<clientId>` https://auth.pingone.`<region>`/device/`<devicePathId>`?user_code=`<userCode>` https://auth.pingone.`<region>`/device/`<devicePathId>` https://auth.pingone.`<region>`/device?user_code=`<userCode>` https://auth.pingone.`<region>`/device
No	No	https://auth.pingone.`<region>`/device/`<clientId>`?user_code=`<userCode>` https://auth.pingone.`<region>`/device/`<clientId>` https://auth.pingone.`<region>`/device?user_code=`<userCode>` https://auth.pingone.`<region>`/device

Note:

The clientId path is safer because that value does not change (devicePathId can change). In addition, a redirect to /device without a clientId or devicePathId is not recommended because the application's configured sign-on policy can't be used. However, if you use the same Device Custom Verification URI value for two separate applications, then a redirect to /device is needed, and the flow uses the environment's default sign-on policy.

For example, if the custom domain for the environment is set to acme-corporation.com, the Device Custom Verification URI for the application is set to https://acme.com/go, and the client ID for the application is c78dbdd0-cc2c-42fa-b275-486503c30d2b, the workflow is:

The end user enters the short URL, such as https://acme.com/go, in a browser to start the activation flow.
Outside of PingOne, the administrator has configured the following redirect to redirect the browser and start the device authorization flow: https://acme-corporation.com/device/c78dbdd0-cc2c-42fa-b275-486503c30d2b.
In PingOne, the flow redirects to https://acme-corporation.com/signon?flowId=03f3581c-7fee-4bf5-adb1-ed056d31ce91 to start the PingOne flow.

For more information about configuring your device authorization application, see Editing an application - Device authorization.