The intention of this sample is to give developer a bird's eye view of the popular authentication protocol like OIDC and some PingOne for Customers (Ping14C) Authentication and Management API services usage, that allows you to manage your organization’s users and applications, and of course - users authorization and authentication.
It samples such flows like - register a new user, update user password by logged in user or by application itself, and recover a forgotten password scenario.
A tutorial video detailing the implementation of this sample application is available on YouTube: https://youtu.be/PbtvtXv3ZnE
- Add Ping14C
spring-boot-sdk
artifact to your pom:
<dependency>
<groupId>com.pingidentity.samples</groupId>
<artifactId>spring-boot-sdk</artifactId>
<version>${sdk.version}</version>
</dependency>
You may want to add additional dependency to make your application development experience a little more pleasant, like <artifactId>spring-boot-devtools</artifactId>
Since we are using Thymeleaf template engine, you can benefit from spring.thymeleaf.cache
that controls compiled templates cache to avoid repeatedly parsing template files.
- Until we are storing
spring-boot-sdk
jar in GitHub with GitHub Maven Plugins(that should not be a case until at least October of 2019), please add this server configuration to your mavensettings.xml
:
<server>
<id>github</id>
<password>OAUTH2TOKEN</password>
</server>
where OAUTH2TOKEN
is a personal access token you need to create (unless you have some) if you have Two-factor Authentication, or
<server>
<id>github</id>
<username>GitHubLogin</username>
<password>GitHubPassw0rd</password>
</server>
in a simple user:password case.
Please don't forget to set OAUTH2TOKEN
as environment variable(if you are using it) for login failures prevention:
export GITHUB_OAUTH_TOKEN={OAUTH2TOKEN}
- Create two applications through Ping14C admin console with the following configurations:
-
Worker Application with default options. Note that this Worker application instance will inherit the same Roles as the user who creates the instance. These Roles can be edited after the application instance is created.
-
Native, Single Page or Web Application (with Authorization Code or Implicit Grant Type) with such list of OIDC and PingOne platform
scope
's:- OIDC:
openid,profile,phone,email,address
- PingOne's :
p1:reset:userPassword
,p1:set:env:userPassword
- to change user password by the user
- OIDC:
Most of PingOne platform scopes are self-explanatory, but if you need more details about them please check "Configure access through scopes" part.
-
Enable both applications in Ping14C admin console.
-
Configure your spring application configuration
application.yml
by replacing all<...>
placeholders with the following information:<environment_id>
with your environment ID- Worker Application configuration in
oauth2.client
path copying over data from corresponding application from Ping14C admin console:<client_credentials_client_id>
with your client id (inclient-id
variable)<client_credentials_client_secret>
with your client secret (inclient-secret
variable)
- Native (Single Page or Web) Application configuration in
spring.security.oauth2.client
path<authorization_code_client_id>
with your client id (inclientId
variable)<authorization_code_client_client_credentials_client_secret>
with your client secret (inclientSecret
variable)
Endpoint | Description |
---|---|
POST /{environmentId}/as/authorize |
Authorization request with a code grant (spring uses under the hood). prompt=login parameter is used by default |
POST /{environmentId}/as/token |
Obtain an access token by presenting its authorization grant (spring uses under the hood) |
GET /{environmentID}/as/.well-known/openid-configuration |
Get OpenID Connect provider metadata document for the issuer (spring uses under the hood) |
GET /{environmentId}/as/userinfo |
Get token claims about the authenticated end user ( used for Show User Information button) |
Service Name | Endpoint | Description |
---|---|---|
Populations | GET /environments/{environmentId}/populations |
Get all populations for a new user registration |
Password policies | GET /environments/{environmentId}/passwordPolicies |
Get all password policies for an environment to get the default one. It will be used for password verification on the client side |
User password management | PUT /environments/{environmentId}/users/{userId}/password |
Update a password: self-change password update and administrative-change reset of user password |
POST /environments/{environmentId}/users/{userId}/password |
Recover a forgotten password | |
Users | GET /environments/{environmentId}/users?filter=name.family%20eq%20%22Smith%22%20and%20name.given%20sw%20%22W%22 |
Find a user by his name or email for further usage of his ID |
POST /environments/{environmentId}/users |
Create new user |
application.yml
authorizationGrantType
orauthorization-grant-type
: OAuth 2.0 defines four authorization grant types, but Spring Boot supports only 3: authorization_code, implicit, and client_credentials.
pom.xml
<artifactId>spring-boot-devtools</artifactId>
- set of tools that can make the application development experience a little more pleasant.<artifactId>spring-boot-sdk</artifactId>
- PingOne for Customers spring-boot SDK that is temporarily stored in github raw