PingOne Platform APIs

Configure an Application to use the offline_access Scope

This activity shows you how to create an application and configure it to use the offline_access scope. The offline_access scope allows an application to request a long-lived refresh token which grants access to resources on behalf of the user. For more information, refer to Authorization.

This workflow very similar to Configuring an Application with an Authorization Code Grant, however you’ll specify the offline_access scope when creating the application’s resource grant in step 5.

The following operations are supported by the PingOne APIs:

  • Create an application

  • Create a resource access grant

  • Initiate an authorization_code authorization flow

  • Use flow APIs to complete the login

Best practices for application secrets

  • Do not store an application secret in applications that are publicly available.

  • For security purposes, regenerate application secrets regularly (refer to Update the application secret).

  • If you suspect an application secret has been compromised, generate a new application secret immediately.

Prerequisites

Get an access token from the worker application that you created in PingOne for Developers Getting Started. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, refer to Token (client_credentials).

Workflow order of operations

To configure an application and initiate the authorization flow, you must complete the following tasks:

  1. Make a POST request to /environments/{{envID}}/applications to add a new application to the specified environment.

  2. Make a GET request to /environments/{{envID}}/applications/{{offlineAccessAppID}}/secret to return the new application’s secret attribute.

  3. Make a GET request to /environments/{{envID}}/resources to return a list of all resource entities associated with the specified environment to get the ID for the PingOne platform resource.

  4. Make a GET request to /environments/{{envID}}/resources/{{resourceID}}/scopes to to get the ID for the offline_access scope.

  5. Make a POST request to /environments/{{envID}}/applications/{{appID}}/grants to create a new resource access grant for the application.

  6. Make a POST request to /environments/{{envID}}/populations to create a new population resource.

  7. Make a POST request to /environments/{{envID}}/users to create a user who will be associated with the new population resource.

  8. Make a POST request to /environments/{{envID}}/users/{{userID}}/password to set the new user’s password.

  9. Make a POST request to /{{envID}}/as/authorize to obtain an authorization grant. This request starts the authorization flow.

  10. To initiate the authentication flow, make a GET request to GET /{{envID}}/flows/{{flowID}}.

  11. To complete the authentication flow, make a POST request to GET /{{envID}}/flows/{{flowID}} and provide the user’s login credentials.

  12. Make a GET request to /{{envID}}/as/resume?flowId={{flowID}} to call the resume endpoint and return the token.

  13. After the authorization flow completes and returns an auth code, make a POST request to /{{envID}}/as/token to exchange the auth code for an access token.

Click the Run in Postman button below to fork, or download and import, the Postman collection for this workflow to your workspace.

Run in Postman