oAuth 2.0 Single Sign on use case
We have a need to implement single sign on using Ping Federate(broker or access token provider). Behind the scenes Ping would contact Okta. Basically okta is configured as a federated IDP within ping federate. The authentication has to happen through oAuth 2.0 standards. We are currently running on 7.3
- First redirect user agent to PING server
https://api.manheim.com/auth/authorization.oauth2?adaptor=Okta&client_id=<clientid>&response_type=code&scope=openid profile email&redirect_uri=<pega service endpoint >
Upon successful authentication, the redirect will happen to the above pega service endpoint with the auth code.
- The above pega service endpoint will have to invoke the create token endpoint to get an access token and an id token using the authcode.
Request : Token Create (authorization code)
POST https://api.manheim.com/oauth2/token.oauth2
Authorization: Basic <clientId>:<secret>
api-key: <clientId>
Content-Type: application/x-www-form-urlencoded
code=<auth_code>&grant_type=authorization_code&redirect_uri=<pega service endpoint>
We have a need to implement single sign on using Ping Federate(broker or access token provider). Behind the scenes Ping would contact Okta. Basically okta is configured as a federated IDP within ping federate. The authentication has to happen through oAuth 2.0 standards. We are currently running on 7.3
- First redirect user agent to PING server
https://api.manheim.com/auth/authorization.oauth2?adaptor=Okta&client_id=<clientid>&response_type=code&scope=openid profile email&redirect_uri=<pega service endpoint >
Upon successful authentication, the redirect will happen to the above pega service endpoint with the auth code.
- The above pega service endpoint will have to invoke the create token endpoint to get an access token and an id token using the authcode.
Request : Token Create (authorization code)
POST https://api.manheim.com/oauth2/token.oauth2
Authorization: Basic <clientId>:<secret>
api-key: <clientId>
Content-Type: application/x-www-form-urlencoded
code=<auth_code>&grant_type=authorization_code&redirect_uri=<pega service endpoint>
The API response will be like the below
Content-Type: application/json
{
"token_type": "Bearer",
"access_token": "adfasf",
"refresh_token": "adsfasdfas"
“id_token”: “2342423afsfasdfasd4”
}
The Id_token from the response has to be used to parse and establish the session on the pegaside for the user. To establish the session without authentication(as the authentication happened externally through okta) using the id token, I want to know whether we have to embed logic within that service that redirects user to an authservice/endpoint (after getting the id token)that will support this (something custom) or do we have any standard auth service OOB meant to handle user redirect/login to support such oAuth2.0 Authorization Code flow for use case like the above