PingOne Platform APIs

External OAuth Servers

The PingOne /environments/{{envID}}/externalOAuthServers endpoint provides operations to create, read, update, and delete external OAuth server resources in PingOne.

Refer to Using an external authorization server in PingOne Authorize AAM in the PingOne Admin Guide for more information.

PingOne enforces a limit of 25 External OAuth Servers per environment.

External OAuth server data model

Property Type Required? Mutable? Description

description

String

Optional

Mutable

A description of the External OAuth Server. Maximum length 1024.

id

UUID

Required

Immutable

The ID of the External OAuth Server.

issuers

Array of Strings

Optional

Mutable

Lists the expected issuer value(s) used by the External OAuth Server. The runtime will expect the value of a bearer token’s iss claim to match one of these expected issuer values. Array size must be between 1-8. Array elements must be between 1-1024.

name

String

Required

Mutable

The name of the External OAuth Server. Must be unique to the environment. Length must be between 1-256.

type

String

Required

Mutable

The type of External OAuth Server. The only accepted value is EXTERNAL, which indicates that the External OAuth Server is not PingOne SSO.

validation

Object

Required

Mutable

A container object for fields related to runtime validation of access tokens issued by the External OAuth Server.

validation.clockSkewTolerance

Number

Optional

Mutable

Specifies an allowable clock skew tolerance in seconds. When validating certain time-based token claims (nbf, exp), the runtime will tolerate time differences as specified by the value. The value must be zero or a positive integer. The default value is 0.

validation.jwks

String

Optional (see description)

Mutable

A JWKS document containing the External OAuth Server’s public signing keys. Required if type is JWKS. Must be a valid JWKS per RFC 7517 and not exceed 16kB.

validation.jwksUrl

String

Optional (see description)

Mutable

The URL of the External OAuth Server’s JWKS endpoint. Required if type is JWKS_URL. Length must be between 1-1024. Must use the HTTPS protocol scheme and satisfy an SSRF risk check.

validation.type

String

Required

Mutable

Indicates the validation strategy that will be used by the AAM runtime. Accepts only one of the following values: JWKS_URL, which indicates that the AAM runtime will retrieve JWK signing keys from a JWKS endpoint or JWKS, which indicates that the AAM runtime will use a set of JWK signing keys from a JWKS stored in the configuration.

Limiting and filtering data

You can limit the number of results returned on the Read All External OAuth Servers request with the limit parameter. Refer to Pagination for more information about use of the limit parameter, as well as other methods of controlling pagination.

You can filter response data by applying a SCIM filtering expression to the Read All External OAuth Servers request. These SCIM operators can be applied to the following attributes:

  • co (contains)

    Supported attributes: name

Response codes

Code Message

200

Successful operation.

201

Successfully created.

204

Successfully removed. No content.

400

The request could not be completed.

401

You do not have access to this resource.

403

You do not have permissions or are not licensed to make this request.

404

The requested resource was not found.