Interactive user sign-on
Interactive sign-on authenticates a human user against configured services using OAuth 2.0. Two grant types are available; choose based on whether a browser is accessible in the environment.
Benefits for administrators
Administrators can configure interactive user sign-on as the authentication method for CLI users to promote accountability and auditability. When users authenticate interactively, all configuration changes made through Ping CLI are audited against the individual user’s account. This creates a clear audit trail linking each change to the specific person who made it, essential for compliance and governance.
In contrast, client credentials authentication (service account or static credential) cannot attribute changes to individual users; all activity appears under a shared service account identity, obscuring who performed specific actions. Interactive sign-on ensures that every CLI-driven configuration change is traceable to a named user, supporting your organization’s accountability requirements.
Authorization code
The authorization code flow opens a browser to complete sign-on. Ping CLI starts a local listener, redirects the browser to the service’s authorization endpoint, and exchanges the returned code for tokens.
Use the authorization code flow when:
-
You are working on a developer workstation with a local browser.
-
The service is configured with a redirect URI pointing to
localhost.
Device code
The device code flow does not require a browser on the machine running Ping CLI. Instead, the CLI displays a short code and a URL. You open the URL on any device with a browser (such as your phone or another computer), enter the code, and complete sign-on there. After confirmation, Ping CLI automatically receives tokens.
Use the device code flow when:
-
You are working over SSH or in a remote terminal without a browser.
-
You are running Ping CLI in a headless server environment where interactive sessions are still user-initiated.
Multi-factor authentication
Where authorization code flow and device code flow are used for interactive login, administrators can configure users to require multi-factor authentication (MFA) when signing on to the CLI.
|
PingOne enforces mandatory MFA for all administrator accounts. This requirement is applied by PingOne and cannot be disabled, and applies to both the authorization code and device code flows. Administrators who authenticate through an external identity provider (IdP) satisfy this requirement through that provider’s MFA configuration instead. |
Running authentication commands
Platform-level login
Authenticate to all configured services at once:
pingcli auth loginPing CLI authenticates to each configured service in turn using the authentication type defined in the active profile. For authorization code, a browser window opens. For device code, a code and URL are displayed on the terminal.
Token storage
Ping CLI stores authentication tokens according to the auth.storage.type configuration key:
| Storage type | Description |
|---|---|
|
Tokens are stored in the operating system’s native secure storage (macOS Keychain, Windows Credential Manager, or equivalent on Linux). Recommended for workstation use. |
|
Can be used where the operating system’s native secure storage is not available. Tokens are stored locally. Do not use in production or shared environments. |
|
Tokens are not persisted. Authentication must be completed before each CLI session. Useful in ephemeral CI/CD environments where tokens are generated fresh for each run. |
To configure the storage type:
pingcli config set "auth.storage.type=secure_local"