Skip to content

willianantunes/ping-identity-auth-playground

Repository files navigation

Ping Identity Auth Playground

To be defined.

Notes

Callback during the authorization code grant type

Whe you are on Ping Identity, you must use HTTPS. You won't be able to use HTTP for development sadly.

PingOne SSO is so simple that you'll probably need PingFederate

If you go with the Try Ping and check PingOne SSO out, you're going to notice many limitations. First, you change its UI but in a limited manner. You are not able to insert a script of yours in JavaScript, let's say. In more complicated scenarios where you must do more steps for registration (I don't like that, but let's suppose this), you cannot change how PingOne SSO behaves. Another situation is when you'd like to allow your user to authenticate through username, email, and SMS, but the last two are passwordless. This is not supported, sadly. Only PingFederate supports these.

I don't know why, but if you'd like to test PingFederate, you won't be able to do it on Ping Cloud promptly

When you create an environment on Ping Cloud with PingFederate, Ping asks you to run one using Docker, or you can ask the company to deploy it for you on Ping Cloud. Why is it so difficult? I don't know, but you won't be able to because you're going to need a license. You can create a DevOps Account. After you do it, you're going to receive a Compose file, but it has errors. Use this one preferably, and you should be good to go!

If you only need authentication, you will probably need just PingFederate and PingDirectory.

PingFederate has many features, but it does not store users at all; for that, you're going to need a database. PingDirectory is the recommended product provided by them for that, and it's LDAP compliant. So technically, you can use an Azure AD rather than PingDirectory.

{JWKError}Incorrect key type. Expected: 'RSA', Received: EC / Expected: 'oct', Received: EC / Key must be 256 bit for alg A256KW

Using the default configuration from PingFederate and the setup provided by OAuth Playground, I used the App Client ac_oic_client for Authorization Code grant type, but I got many errors like Expected: 'oct', Received: EC when trying to decode the id_token. To fix it, I followed the document Configure static signing keys in order to create an RSA key type in OAuth & OpenID Connect Keys. Sample pictures to guide you through it:

OIDC configuration made in App Client settings

OIDC Keys ettings

How to make SSO work by default

SSO does not work with a fresh version of PingFederate. I was using the OAuth Client ac_oic_client (the one that is automatically created by OAuth Playground Application). In order to make SSO works as expected, I followed this documentation. In AUTHENTICATION SESSIONS part, you have the checkbox ENABLE AUTHENTICATION SESSIONS FOR ALL SOURCES. Just activate it and SSO will work as expected. PingFederate will ask you all the time about the consent of the scopes, even though you had consented previously. Another issue that I'm trying to fix/configure properly.

Consent approval is asked all the time

This document explains how the consent approval works. In the Configuring Authorization Server Settings, you can enable the option BYPASS AUTHORIZATION FOR PREVIOUSLY APPROVED PERSISTENT GRANTS and then AUTHORIZATION CODE in REUSE EXISTING PERSISTENT ACCESS GRANTS FOR GRANT TYPES panel. This will make the consent approval flow asks only once.

Links

Projects:

Guides:

Explanations: