36
OAuth Grant Types – setup guide using the OAuth Playground OAuth Playground Configuration: 1. Download the OAuth from here: https://www.pingidentity.com/supportanddownloads/ 2. Extract and place OAuthPlayground3.1.0\dist\OAuthPlayground.war within pingfederate\server\default\deploy 3. Access the OAuth Playground by going to https://localhost:9031/OAuthPlayground 4. Click the settings option on the far right and modify the Base URL for your PingFederate server if something other than localhost:<port> 5. Access PingFederate Initial Enablement: Under Server Settings, check the box for “Enable OAuth 2.0 Authorization Server (AS) role”. Make sure you save your configuration. The screenshot below is what will appear in the main section of the Administrative console when this feature is enabled: Configuring different Grant Types (using the OAuthPlayground as an example) Authorization Code Flow (bare minimum items that are needed):

OAuth Grant Types using the OAuth PlayGround (1) · PDF fileMicrosoft Word - OAuth Grant Types using the OAuth PlayGround (1).docx Author: Pam Dingle Created Date: 5/21/2014 8:08:57

  • Upload
    lenhu

  • View
    234

  • Download
    1

Embed Size (px)

Citation preview

OAuth  Grant  Types  –  setup  guide  using  the  OAuth  Playground    

OAuth  Playground  Configuration:  

1. Download  the  OAuth  from  here:  https://www.pingidentity.com/support-­‐and-­‐downloads/  2. Extract  and  place  OAuthPlayground-­‐3.1.0\dist\OAuthPlayground.war  within  

pingfederate\server\default\deploy  3. Access  the  OAuth  Playground  by  going  to  https://localhost:9031/OAuthPlayground  4. Click  the  settings  option  on  the  far  right  and  modify  the  Base  URL  for  your  PingFederate  server  if  

something  other  than  localhost:<port>  5. Access  PingFederate    

   

Initial  Enablement:  

Under  Server  Settings,  check  the  box  for  “Enable  OAuth  2.0  Authorization  Server  (AS)  role”.  Make  sure  you  save  your  configuration.  

 

The  screenshot  below  is  what  will  appear  in  the  main  section  of  the  Administrative  console  when  this  feature  is  enabled:  

   

Configuring  different  Grant  Types  (using  the  OAuthPlayground  as  an  example)  

Authorization  Code  Flow  (bare  minimum  items  that  are  needed):  

1. Click  Client  Management  under  the  OAuth  Setting  2. Click  Add  Client  3. Client  ID  =  ac_client  4. Name  =  authZ  Code  Flow  5. Redirection  URIs  =  https://localhost:9031/OAuthPlayground/case1-callback.jsp  6. Check  the  box  for  Authorization  Code  7. Click  Done  to  you  get  to  Save.  

 

The  next  step  is  building  out  the  attribute  contract  for  the  OAuth  Access  Token  as  a  whole  

8. Click  Access  Token  Management  under  the  OAuth  Settings  9. Select  the  “Internally  Managed  Reference  Token”  under  the  Access  Token  Management  Plug-­‐in  

Type.  Click  Next.  

 10. The  items  under  Instance  Configuration  can  be  left  the  default  for  our  initial  testing.  Click  Next.  

 11. Configure  the  attribute  names  that  will  appear  when  a  Access  Token  is  resolved  by  a  Resource  

Server.  Click  Next  and  then  Save  on  the  summary.

 

The  next  step  is  building  the  authentication  Adapter  that  will  in  coordination  with  the  authZ  Code  Flow  

12. Create  an  authentication  Adapter  for  the  AuthZ  Code  Flow  if  not  already  done.  If  not  please  refer  to  http://documentation.pingidentity.com/display/PF66/Creating+an+Adapter+Instance  

13. Click  on  IdP  Adapter  Mapping  under  the  OAuth  Settings  and  drop  down  the  list  for  available  Adapter  instances  under  “Source  Adapter  Instance”.  Select  the  appropriate  authentication  

Adapter  for  the  authZ  Code  Flow.

 14. Click  “Add  Mapping”  15. If  additional  attributes  are  needed  during  the  authN  process,  configure  your  LDAP/database.  

Click  Next

 16. Map  USER_KEY  and  USER_NAME  to  the  appropriate  attributes  either  from  your  LDAP/database.  

Click  Next

 17. Configure  Issuance  Criteria  if  needed.  Click  Next  18. Click  Done  to  you  get  to  Save.  19. Click  Access  Token  Mapping  under  the  OAuth  Settings  20. Select  the  just  configured  IDP  Adapter  Instance  from  the  Context  drop-­‐down.  Click  Add  Mapping    

 

21. If  additional  attributes  are  needed  during  the  Access  Token  creation  process,  configure  your  LDAP/database.  Click  Next  

22. Map  the  Source  values  to  the  names  of  the  attributes  that  we  created  in  step  11.  Click  Next.  

 23. Configure  Issuance  Criteria  if  needed.  Click  Next.  24. Click  Done  on  the  summary  and  Save  on  the  Mappings  summary.  

You  Are  now  ready  to  test  the  Authorization  Code  Flow  portion  of  this  use-­‐case.  

25. Access  the  OAuth  Playground  within  your  browser  and  click  on  “Case  1  :  Authorization  Code”.  26. Click  on  Request  Authorization  (/as/authorization.oauth2).  I  have  elected  to  include  an  optional  

paramater  of  pfidpadapterid  because  I  have  multiple  adapters  configured  for  OAuth  within  my  

PingFederate  configruation.  

 27. You  will  now  be  prompted/authentication  by  your  IDP  Adapter  instance  we  created  in  step  12.  

28. Once  authenticated  properly,  You  will  be  prompted  to  allow  the  requesting  of  information.  Click  Allow

 

29. You  will  then  be  returned  to  the  OAuth  Playground  location  that  we  configured  in  step  5  with  an  Authorization  subbed  into  the  “code”  text  box.  

 

The  last  portion  of  this  use-­‐case  is  configure  a  Resource  Server  (RS)  

30. Under  the  OAuth  Settings,  click  Client  Management  

31. Create  a  Resource  Server  Client  that  looks  like  following.  The  client  secret  is  2Federate

 

You  are  now  ready  to  test  the  whole  scenario  

32. Head  back  to  the  OAuth  Playground  and  follow  steps  25-­‐29  33. Once  the  above  is  complete  click  “Request  Token”  button  

34. You  will  now  get  a  screen  that  looks  like  the  following

this  means  that  you  were  able  to  obtain  a  successful  Access  Token.  Click  “Validate”  to  resolve  to  

resolve  this  Access  Token  for  the  attributes  associated  with  it.  You  should  receive  the  following:  

This  screen  verifies  that  you  were  able  to  resolve  the  attributes  properly  to  go  about  using  those  attributes  for  you  API  call(s).  

Implicit  Flow  (for  the  Resource  Server  portion,  refer  to  the  above  documentation):  

1. Click  Client  Management  under  the  OAuth  Setting  2. Click  Add  Client  3. Client  ID  =  im_client  4. Name  =  Implicit  Flow  5. Redirection  URIs  =  https://localhost:9031/OAuthPlayground/case2-callback.jsp  6. Check  the  box  for  “Implicit”  7. Click  Done  to  you  get  to  Save.  

 

The  next  step  is  building  out  the  attribute  contract  for  the  OAuth  Access  Token  as  a  whole  

8. Click  Access  Token  Management  under  the  OAuth  Settings  

9. Select  the  “Internally  Managed  Reference  Token”  under  the  Access  Token  Management  Plug-­‐in  Type.  Click  Next.  

 10. The  items  under  Instance  Configuration  can  be  left  the  default  for  our  initial  testing.  Click  Next.  

 11. Configure  the  attribute  names  that  will  appear  when  a  Access  Token  is  resolved  by  a  Resource  

Server.  Click  Next  and  then  Save  on  the  summary.

 

The  next  step  is  building  the  authentication  Adapter  that  will  in  coordination  with  the  Implicit  Flow  

12. Create  an  authentication  Adapter  for  the  Implicit  Flow  if  not  already  done.  If  not  please  refer  to  http://documentation.pingidentity.com/display/PF66/Creating+an+Adapter+Instance  

13. Click  on  IdP  Adapter  Mapping  under  the  OAuth  Settings  and  drop  down  the  list  for  available  Adapter  instances  under  “Source  Adapter  Instance”.  Select  the  appropriate  authentication  

Adapter  for  the  Implicit  Flow.  

 14. Click  “Add  Mapping”  15. If  additional  attributes  are  needed  during  the  authN  process,  configure  your  LDAP/database.  

Click  Next

 

16. Map  USER_KEY  and  USER_NAME  to  the  appropriate  attributes  either  from  your  LDAP/database.  Click  Next

 17. Configure  Issuance  Criteria  if  needed.  Click  Next  18. Click  Done  to  you  get  to  Save.  19. Click  Access  Token  Mapping  under  the  OAuth  Settings  20. Select  the  just  configured  IDP  Adapter  Instance  from  the  Context  drop-­‐down.  Click  Add  Mapping    

 

21. If  additional  attributes  are  needed  during  the  Access  Token  creation  process,  configure  your  LDAP/database.  Click  Next  

22. Map  the  Source  values  to  the  names  of  the  attributes  that  we  created  in  step  11.  Click  Next.  

 23. Configure  Issuance  Criteria  if  needed.  Click  Next.  24. Click  Done  on  the  summary  and  Save  on  the  Mappings  summary.  

You  Are  now  ready  to  test  the  Implicit  Flow  portion  of  this  use-­‐case.  

25. Access  the  OAuth  Playground  within  your  browser  and  click  on  “Case  2  :  Implicit”.  26. Click  on  Request  Authorization  (/as/authorization.oauth2).  I  have  elected  to  include  an  optional  

paramater  of  pfidpadapterid  because  I  have  multiple  adapters  configured  for  OAuth  within  my  

PingFedederate  configruation.  

 

27. You  will  now  be  prompted/authentication  by  your  IDP  Adapter  instance  we  created  in  step  12.  28. Once  authenticated  properly,  You  will  be  prompted  to  allow  the  requesting  of  information.  Click  

Allow  

 

29. You  will  then  be  returned  to  the  OAuth  Playground  with  an  Access  Token  

 30. Click  Validate  to  obtain  the  attributes  (resolving  an  the  Access  Token  against  the  Resource  

Server).  

 This  screen  verifies  that  you  were  able  to  resolve  the  attributes  properly  to  go  about  using  those  attributes  for  you  API  call(s).  

Resource  Owner  Flow  (for  the  Resource  Server  portion,  refer  to  the  above  documentation):  

1. Click  Client  Management  under  the  OAuth  Setting  2. Click  Add  Client  3. Client  ID  =  ro_client  4. Name  =  Resource  Owner  Flow  5. Redirection  URIs  =  https://localhost:9031/OAuthPlayground/case3-password.jsp  6. Check  the  box  for  “Resource  Owner  Password  Credentials”  7. Click  Done  to  you  get  to  Save.  

 

The  next  step  is  building  out  the  attribute  contract  for  the  OAuth  Access  Token  as  a  whole  

8. Click  Access  Token  Management  under  the  OAuth  Settings  

9. Select  the  “Internally  Managed  Reference  Token”  under  the  Access  Token  Management  Plug-­‐in  Type.  Click  Next.  

 10. The  items  under  Instance  Configuration  can  be  left  the  default  for  our  initial  testing.  Click  Next.  

 11. Configure  the  attribute  names  that  will  appear  when  a  Access  Token  is  resolved  by  a  Resource  

Server.  Click  Next  and  then  Save  on  the  summary.

 

The  next  step  is  building  the  authentication  process  to  go  against  an  internally  configured  LDAP  to  validate  the  credentials  from  the  native  application.  

12. Create  a  Password  Credential  Validator  if  not  already  done.  If  not  please  refer  to  http://documentation.pingidentity.com/display/PF70/Configuring+the+LDAP+Credential+Validator  

13. Click  on  “Resource  Owner  Credentials  Mapping”  under  the  OAuth  Settings  and  drop  down  the  list  for  available  Password  Credential  Validator  instances  under  “Source  Password  Validator  Instance”.  Select  the  appropriate  Source  Password  Validator  Instance  for  the  Resource  Owner  

Flow.  

 14. Click  “Add  Mapping”  15. If  additional  attributes  are  needed  during  the  authN  process,  configure  your  LDAP/database.  

Click  Next

 16. Map  USER_KEY  to  the  appropriate  attributes  either  from  your  LDAP/database  or  Password  

Credential  Validator.  Click  Next  

 17. Configure  Issuance  Criteria  if  needed.  Click  Next  18. Click  Done  to  you  get  to  Save.  19. Click  Access  Token  Mapping  under  the  OAuth  Settings  20. Select  the  just  Password  Credential  Validator  Instance  from  the  Context  drop-­‐down.  Click  Add  

Mapping    

 

21. If  additional  attributes  are  needed  during  the  Access  Token  creation  process,  configure  your  LDAP/database.  Click  Next  

22. Map  the  Source  values  to  the  names  of  the  attributes  that  we  created  in  step  11.  Click  Next.  

 23. Configure  Issuance  Criteria  if  needed.  Click  Next.  24. Click  Done  on  the  summary  and  Save  on  the  Mappings  summary.  

You  Are  now  ready  to  test  the  Resource  Owner  Flow  portion  of  this  use-­‐case.  

25. Access  the  OAuth  Playground  within  your  browser  and  click  on  “Case  3  :  Resource  Owner”.  

26. Fill  in  the  below  information.  joe/Password1  are  configured  within  my  Simple  Password  Credential  Validator.  Click  on  “Request  Token”  button  

 

 

27. You  will  then  be  returned  to  the  OAuth  Playground  with  an  Access  Token  

 28. Click  Validate  to  obtain  the  attributes  (resolving  an  the  Access  Token  against  the  Resource  

Server).  

 This  screen  verifies  that  you  were  able  to  resolve  the  attributes  properly  to  go  about  using  those  attributes  for  you  API  call(s).  

Client  Credentials  Flow  (for  the  Resource  Server  portion,  refer  to  the  above  documentation):  

1. Click  Client  Management  under  the  OAuth  Setting  2. Click  Add  Client  3. Client  ID  =  cc_client  4. Input  “2Federate”  as  the  Client  Secret  as  in  this  specific  flow,  client  secret  is  required  5. Name  =  Client  Credentials  Flow  6. Redirection  URIs  =  https://localhost:9031/OAuthPlayground/case4-client-credentials.jsp  7. Check  the  box  for  “Client Credentials”  8. Click  Done  to  you  get  to  Save.  

 

You  Are  now  ready  to  test  the  Client  Credentials  Flow  portion  of  this  use-­‐case.  

9. Access  the  OAuth  Playground  within  your  browser  and  click  on  “Case  4  :  Client  Credentials”.  

10. The  OAuth  Playground  should  present  you  with  a  screen  that  looks  like  this  (client  secret  matches  what  we  inputted  into  the  PingFederate  Client  Management  section  for  the  cc_client):  

 

11. Click  the  “Request  Token”  button.  You  will  then  be  returned  to  the  OAuth  Playground  with  an  Access  Token  

 12. Click  “Validate”  to  obtain  the  attributes  (resolving  an  the  Access  Token  against  the  Resource  

Server).  

 This  screen  verifies  that  you  were  able  to  resolve  the  Access  Token  for  a  valid  response  to  go  about  using  that  validation  for  your  API  call(s).