Ping SDKs

Register OAuth 2.0 clients in AM

Applies to:

  • Ping SDK for Android

  • Ping SDK for iOS

  • Ping SDK for JavaScript

The OAuth 2.0 client profile defines how an application connects to PingAM to obtain OAuth 2.0 tokens.

To allow the SDKs to connect to AMd and obtain OAuth 2.0 tokens, you must register an OAuth 2.0 client application.

There are two types of OAuth 2.0 client:

Public client

Public clients do not use a client secret to obtain tokens because they are unable to keep them hidden. The Ping SDKs commonly use this type of client to obtain tokens, as they cannot guarantee safekeeping of the client credentials in a browser or on a mobile device.

Confidential client

Confidential clients are able to store credentials securely and are commonly used for server-to-server communication.

Only the following tutorials and integrations require a confidential client:

Register a public OAuth 2.0 client

To register a public OAuth 2.0 client application for use with the SDKs in AM, follow these steps:

  1. Log in to the PingAM admin UI as an administrator.

  2. Navigate to Applications > OAuth 2.0 > Clients, and then click Add Client.

  3. In Client ID, enter sdkPublicClient.

  4. Leave Client secret empty.

  5. In Redirection URIs, enter the following values:

    https://sdkapp.example.com:8443/callback

    https://com.example.reactnative.todo/callback

    https://com.example.flutter.todo/callback

    https://localhost:8443/callback.html

    org.forgerock.demo://oauth2redirect

    The Ping SDK for JavaScript attempts to load the redirect page to capture the OAuth 2.0 code and state query parameters that the server appended to the redirect URL.

    If the page you redirect to does not exist, takes a long time to load, or runs any JavaScript you might get a timeout, delayed authentication, or unexpected errors.

    To ensure the best user experience, we highly recommend that you redirect to a static HTML page with minimal HTML and no JavaScript when obtaining OAuth 2.0 tokens.
    Also add any other domains where you will be hosting SDK applications.

  6. In Scopes, enter the following values:

    openid profile email address

  7. Click Create.

    PingAM creates the new OAuth 2.0 client, and displays the properties for further configuration.

  8. On the Core tab:

    1. In Client type, select Public.

    2. Disable Allow wildcard ports in redirect URIs.

    3. Click Save Changes.

  9. On the Advanced tab:

    1. In Grant Types, enter the following values:

      Authorization Code
Refresh Token

    2. In Token Endpoint Authentication Method, select None.

    3. Enable the Implied consent property.

  10. Click Save Changes.

Register a confidential OAuth 2.0 client

The following tutorials and integrations require a confidential client:

To register a confidential OAuth 2.0 client application for use with the SDKs in AM, follow these steps:

  1. Log in to the PingAM admin UI as an administrator.

  2. Navigate to Applications > OAuth 2.0 > Clients, and then click Add Client.

  3. In Client ID, enter sdkConfidentialClient.

  4. In Client Secret, enter a strong password and make a note of it for later use.

    The client secret is not available to view after this step.

    If you forget it, you must reset the secret and reconfigure any connected clients.

  5. In Default Scopes, enter am-introspect-all-tokens.

    PingAM creates the new OAuth 2.0 client and displays the properties for further configuration.

  6. On the Advanced tab:

    1. Enable the Implied consent property.

  7. Click Save Changes.