Upload
lenhu
View
234
Download
1
Embed Size (px)
Citation preview
OAuth Grant Types – setup guide using the OAuth Playground
OAuth Playground Configuration:
1. Download the OAuth from here: https://www.pingidentity.com/support-‐and-‐downloads/ 2. Extract and place OAuthPlayground-‐3.1.0\dist\OAuthPlayground.war within
pingfederate\server\default\deploy 3. Access the OAuth Playground by going to https://localhost:9031/OAuthPlayground 4. Click the settings option on the far right and modify the Base URL for your PingFederate server if
something other than localhost:<port> 5. Access PingFederate
Initial Enablement:
Under Server Settings, check the box for “Enable OAuth 2.0 Authorization Server (AS) role”. Make sure you save your configuration.
The screenshot below is what will appear in the main section of the Administrative console when this feature is enabled:
Configuring different Grant Types (using the OAuthPlayground as an example)
Authorization Code Flow (bare minimum items that are needed):
1. Click Client Management under the OAuth Setting 2. Click Add Client 3. Client ID = ac_client 4. Name = authZ Code Flow 5. Redirection URIs = https://localhost:9031/OAuthPlayground/case1-callback.jsp 6. Check the box for Authorization Code 7. Click Done to you get to Save.
The next step is building out the attribute contract for the OAuth Access Token as a whole
8. Click Access Token Management under the OAuth Settings 9. Select the “Internally Managed Reference Token” under the Access Token Management Plug-‐in
Type. Click Next.
10. The items under Instance Configuration can be left the default for our initial testing. Click Next.
11. Configure the attribute names that will appear when a Access Token is resolved by a Resource
Server. Click Next and then Save on the summary.
The next step is building the authentication Adapter that will in coordination with the authZ Code Flow
12. Create an authentication Adapter for the AuthZ Code Flow if not already done. If not please refer to http://documentation.pingidentity.com/display/PF66/Creating+an+Adapter+Instance
13. Click on IdP Adapter Mapping under the OAuth Settings and drop down the list for available Adapter instances under “Source Adapter Instance”. Select the appropriate authentication
Adapter for the authZ Code Flow.
14. Click “Add Mapping” 15. If additional attributes are needed during the authN process, configure your LDAP/database.
Click Next
16. Map USER_KEY and USER_NAME to the appropriate attributes either from your LDAP/database.
Click Next
17. Configure Issuance Criteria if needed. Click Next 18. Click Done to you get to Save. 19. Click Access Token Mapping under the OAuth Settings 20. Select the just configured IDP Adapter Instance from the Context drop-‐down. Click Add Mapping
21. If additional attributes are needed during the Access Token creation process, configure your LDAP/database. Click Next
22. Map the Source values to the names of the attributes that we created in step 11. Click Next.
23. Configure Issuance Criteria if needed. Click Next. 24. Click Done on the summary and Save on the Mappings summary.
You Are now ready to test the Authorization Code Flow portion of this use-‐case.
25. Access the OAuth Playground within your browser and click on “Case 1 : Authorization Code”. 26. Click on Request Authorization (/as/authorization.oauth2). I have elected to include an optional
paramater of pfidpadapterid because I have multiple adapters configured for OAuth within my
PingFederate configruation.
27. You will now be prompted/authentication by your IDP Adapter instance we created in step 12.
28. Once authenticated properly, You will be prompted to allow the requesting of information. Click Allow
29. You will then be returned to the OAuth Playground location that we configured in step 5 with an Authorization subbed into the “code” text box.
The last portion of this use-‐case is configure a Resource Server (RS)
30. Under the OAuth Settings, click Client Management
31. Create a Resource Server Client that looks like following. The client secret is 2Federate
You are now ready to test the whole scenario
32. Head back to the OAuth Playground and follow steps 25-‐29 33. Once the above is complete click “Request Token” button
34. You will now get a screen that looks like the following
this means that you were able to obtain a successful Access Token. Click “Validate” to resolve to
This screen verifies that you were able to resolve the attributes properly to go about using those attributes for you API call(s).
Implicit Flow (for the Resource Server portion, refer to the above documentation):
1. Click Client Management under the OAuth Setting 2. Click Add Client 3. Client ID = im_client 4. Name = Implicit Flow 5. Redirection URIs = https://localhost:9031/OAuthPlayground/case2-callback.jsp 6. Check the box for “Implicit” 7. Click Done to you get to Save.
The next step is building out the attribute contract for the OAuth Access Token as a whole
8. Click Access Token Management under the OAuth Settings
9. Select the “Internally Managed Reference Token” under the Access Token Management Plug-‐in Type. Click Next.
10. The items under Instance Configuration can be left the default for our initial testing. Click Next.
11. Configure the attribute names that will appear when a Access Token is resolved by a Resource
Server. Click Next and then Save on the summary.
The next step is building the authentication Adapter that will in coordination with the Implicit Flow
12. Create an authentication Adapter for the Implicit Flow if not already done. If not please refer to http://documentation.pingidentity.com/display/PF66/Creating+an+Adapter+Instance
13. Click on IdP Adapter Mapping under the OAuth Settings and drop down the list for available Adapter instances under “Source Adapter Instance”. Select the appropriate authentication
Adapter for the Implicit Flow.
14. Click “Add Mapping” 15. If additional attributes are needed during the authN process, configure your LDAP/database.
Click Next
16. Map USER_KEY and USER_NAME to the appropriate attributes either from your LDAP/database. Click Next
17. Configure Issuance Criteria if needed. Click Next 18. Click Done to you get to Save. 19. Click Access Token Mapping under the OAuth Settings 20. Select the just configured IDP Adapter Instance from the Context drop-‐down. Click Add Mapping
21. If additional attributes are needed during the Access Token creation process, configure your LDAP/database. Click Next
22. Map the Source values to the names of the attributes that we created in step 11. Click Next.
23. Configure Issuance Criteria if needed. Click Next. 24. Click Done on the summary and Save on the Mappings summary.
You Are now ready to test the Implicit Flow portion of this use-‐case.
25. Access the OAuth Playground within your browser and click on “Case 2 : Implicit”. 26. Click on Request Authorization (/as/authorization.oauth2). I have elected to include an optional
paramater of pfidpadapterid because I have multiple adapters configured for OAuth within my
27. You will now be prompted/authentication by your IDP Adapter instance we created in step 12. 28. Once authenticated properly, You will be prompted to allow the requesting of information. Click
Allow
29. You will then be returned to the OAuth Playground with an Access Token
30. Click Validate to obtain the attributes (resolving an the Access Token against the Resource
Server).
This screen verifies that you were able to resolve the attributes properly to go about using those attributes for you API call(s).
Resource Owner Flow (for the Resource Server portion, refer to the above documentation):
1. Click Client Management under the OAuth Setting 2. Click Add Client 3. Client ID = ro_client 4. Name = Resource Owner Flow 5. Redirection URIs = https://localhost:9031/OAuthPlayground/case3-password.jsp 6. Check the box for “Resource Owner Password Credentials” 7. Click Done to you get to Save.
The next step is building out the attribute contract for the OAuth Access Token as a whole
8. Click Access Token Management under the OAuth Settings
9. Select the “Internally Managed Reference Token” under the Access Token Management Plug-‐in Type. Click Next.
10. The items under Instance Configuration can be left the default for our initial testing. Click Next.
11. Configure the attribute names that will appear when a Access Token is resolved by a Resource
Server. Click Next and then Save on the summary.
The next step is building the authentication process to go against an internally configured LDAP to validate the credentials from the native application.
12. Create a Password Credential Validator if not already done. If not please refer to http://documentation.pingidentity.com/display/PF70/Configuring+the+LDAP+Credential+Validator
13. Click on “Resource Owner Credentials Mapping” under the OAuth Settings and drop down the list for available Password Credential Validator instances under “Source Password Validator Instance”. Select the appropriate Source Password Validator Instance for the Resource Owner
Flow.
14. Click “Add Mapping” 15. If additional attributes are needed during the authN process, configure your LDAP/database.
Click Next
16. Map USER_KEY to the appropriate attributes either from your LDAP/database or Password
Credential Validator. Click Next
17. Configure Issuance Criteria if needed. Click Next 18. Click Done to you get to Save. 19. Click Access Token Mapping under the OAuth Settings 20. Select the just Password Credential Validator Instance from the Context drop-‐down. Click Add
Mapping
21. If additional attributes are needed during the Access Token creation process, configure your LDAP/database. Click Next
22. Map the Source values to the names of the attributes that we created in step 11. Click Next.
23. Configure Issuance Criteria if needed. Click Next. 24. Click Done on the summary and Save on the Mappings summary.
You Are now ready to test the Resource Owner Flow portion of this use-‐case.
25. Access the OAuth Playground within your browser and click on “Case 3 : Resource Owner”.
26. Fill in the below information. joe/Password1 are configured within my Simple Password Credential Validator. Click on “Request Token” button
27. You will then be returned to the OAuth Playground with an Access Token
28. Click Validate to obtain the attributes (resolving an the Access Token against the Resource
Server).
This screen verifies that you were able to resolve the attributes properly to go about using those attributes for you API call(s).
Client Credentials Flow (for the Resource Server portion, refer to the above documentation):
1. Click Client Management under the OAuth Setting 2. Click Add Client 3. Client ID = cc_client 4. Input “2Federate” as the Client Secret as in this specific flow, client secret is required 5. Name = Client Credentials Flow 6. Redirection URIs = https://localhost:9031/OAuthPlayground/case4-client-credentials.jsp 7. Check the box for “Client Credentials” 8. Click Done to you get to Save.
You Are now ready to test the Client Credentials Flow portion of this use-‐case.
9. Access the OAuth Playground within your browser and click on “Case 4 : Client Credentials”.
10. The OAuth Playground should present you with a screen that looks like this (client secret matches what we inputted into the PingFederate Client Management section for the cc_client):
11. Click the “Request Token” button. You will then be returned to the OAuth Playground with an Access Token
12. Click “Validate” to obtain the attributes (resolving an the Access Token against the Resource
Server).
This screen verifies that you were able to resolve the Access Token for a valid response to go about using that validation for your API call(s).