Creating a native app - PingOne Cloud Platform - PingOne

PingOne Cloud Platform

bundle
pingone
ft:publication_title
PingOne Cloud Platform
Product_Version_ce
PingOne Cloud Platform
PingOne
category
Administratorguide
ContentType
Guide
Product
Productdocumentation
p1
p1cloudplatform
ContentType_ce
Product documentation
Guide > Administrator Guide
Guide

In this example, you'll configure a full flow, accessing and authenticating an OpenID Connect (OIDC)mobile app.

Creating a native app using the admin console

  1. Go to Applications > Applications.
  2. Click the + icon.

    The Add Application panel opens.

  3. Enter an appropriate Application Name and a Description.

    For example, Getting Started Native App.

  4. In the Choose Application type section, click Native.
  5. Click Save.

    The details panel opens. Applications are granted OAuth scopes so that they can access PingOne platform resources.

  6. On the Configuration tab, click the Pencil icon.
  7. In the Redirect URIs field, enter your mobile application's redirect URL.

    For example,http://localhost.

  8. Click Save.
  9. To grant access to your application, go to the Access tab and click the Pencil icon.
  10. Click + to select the appropriate groups.
  11. Click Save.
  12. On the Resources tab, click the Pencil icon.
  13. In the Search Scopes field, enterprofile.
    Note:

    This filters the list of resource types, so that only the OpenID profile scope remains visible in the scopes selection list.

  14. On the Profile Scope tab, click the + icon or drag it to the Allowed Scope column.
  15. Click Save.
  16. To map your PingOne user-defined attributes to your corresponding application attributes, on the Attribute Mappings tab, click the Pencil icon.
  17. Click + Add and complete the Attributes and corresponding PingOne Mappings fields.
  18. Click Save.
  19. At the top right of the web application's profile, click the toggle to enable it.
    Note:

    Your new native app appears on the Applications page.

Applying the MFA-only policy

Creating a native app using the API

Application developers can use the API operations to create a native app.

  • Use the access token generated through the worker app and the following POST operation:
    POST https://api.pingone.com/v1/environments/{{envId}}/applications
    POST https://api.pingone.com/v1/environments/{{envId}}/applications
    {   
        "enabled": true,
        "name": "NativeApp",
        "description": "Mobile App",
        "type": "NATIVE_APP",
        "protocol": "OPENID_CONNECT",
        "grantTypes": [
            "AUTHORIZATION_CODE"
        ],
        "redirectUris": [
           "pingonesdk://sample"
        ],
        "responseTypes": [
            "CODE"
        ],
        "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC"
    }
  • To grant access to the web app and at least one scope in the system, you first must get the resource and scope IDs by using the following GET operation:
    GET https://api.pingone.com/v1/environments/{{envId}}/resources?expand=scopes

    For details see GET: Step 3: Get the list of resources and GET: Step 4: Get all scopes in the API reference.

  • To create grants, use the following POST operation:
    POST https://api.pingone.com/v1/environments/{{envId}}/applications/{{webAppId}}/grants

    For details, see POST: Step 5: Create the application’s resource access grant in the API reference.

  • To create push credentials, use the corresponding POST operation for your mobile operating system:
    • For an Android app:
      POST https://api.pingone.com/v1/environments/{{envId}}/applications/{{nativeAppId}}/pushCredentials
      {   
        "type": "FCM",
        "key": "{{fcmServerKey}}"
      }
      
    • For an iOS app:
      POST https://api.pingone.com/v1/environments/{{envId}}/applications/{{nativeAppId}}/pushCredentials
      {   
        "type": "APNS",
        "key": "{{appleKey}}",
        "teamId": "{{appleTeamId}}",
        "token": "-----BEGIN PRIVATE KEY-----\n{{appleToken}}\n-----END PRIVATE KEY-----"
      }

Apply the MFA-only policy