PingOne Platform APIs

Step 4: Create OIDC provider in destination environment

   

POST {{apiPath}}/environments/{{destinationEnvID}}/identityProviders

Create a new OIDC identity provider in the destination environment using a POST {{apiPath}}/environments/{{destinationEnvID}}/identityProviders request.

  • In the request body, the IdP name must be unique to the environment.

  • Set clientId to the UUID of the application you created in step 2.

  • Set clientSecret to the value returned in step 3.

  • The discoveryEndpoint in the request body is the discovery endpoint for the source environment.

Refer to the example request body for other required properties. The response returns an identity provider ID that you’ll use in step 6.

Headers

Authorization      Bearer {{accessToken}}

Content-Type      application/json

Body

raw ( application/json )

{
    "description": "Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "name": "OpenIDConnectIdP_{{$timestamp}}",
    "type": "OPENID_CONNECT",
    "clientId": "{{oidcAppSourceID}}",
    "clientSecret": "{{oidcAppSourceClientSecret}}",
    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
    "scopes": ["openid", "CUSTOM_SCOPE"],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
}

Example Request

  • cURL

  • C#

  • Go

  • HTTP

  • Java

  • jQuery

  • NodeJS

  • Python

  • PHP

  • Ruby

  • Swift

curl --location --globoff '{{apiPath}}/environments/{{destinationEnvID}}/identityProviders' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{accessToken}}' \
--data '{
    "description": "Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "name": "OpenIDConnectIdP_{{$timestamp}}",
    "type": "OPENID_CONNECT",
    "clientId": "{{oidcAppSourceID}}",
    "clientSecret": "{{oidcAppSourceClientSecret}}",
    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
    "scopes": ["openid", "CUSTOM_SCOPE"],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
}'
var options = new RestClientOptions("{{apiPath}}/environments/{{destinationEnvID}}/identityProviders")
{
  MaxTimeout = -1,
};
var client = new RestClient(options);
var request = new RestRequest("", Method.Post);
request.AddHeader("Content-Type", "application/json");
request.AddHeader("Authorization", "Bearer {{accessToken}}");
var body = @"{" + "\n" +
@"    ""description"": ""Custom OpenID Connect Provider in Destination Env""," + "\n" +
@"    ""enabled"": true," + "\n" +
@"    ""name"": ""OpenIDConnectIdP_{{$timestamp}}""," + "\n" +
@"    ""type"": ""OPENID_CONNECT""," + "\n" +
@"    ""clientId"": ""{{oidcAppSourceID}}""," + "\n" +
@"    ""clientSecret"": ""{{oidcAppSourceClientSecret}}""," + "\n" +
@"    ""authorizationEndpoint"": ""https://auth.pingone.com/{{SourceEnvID}}/as/authorize""," + "\n" +
@"    ""tokenEndpoint"": ""https://auth.pingone.com/{{SourceEnvID}}/as/token""," + "\n" +
@"    ""userInfoEndpoint"": ""https://auth.pingone.com/{{SourceEnvID}}/as/userinfo""," + "\n" +
@"    ""jwksEndpoint"": ""https://auth.pingone.com/{{SourceEnvID}}/as/jwks""," + "\n" +
@"    ""issuer"": ""https://auth.pingone.com/{{SourceEnvID}}/as""," + "\n" +
@"    ""scopes"": [""openid"", ""CUSTOM_SCOPE""]," + "\n" +
@"    ""tokenEndpointAuthMethod"": ""CLIENT_SECRET_BASIC""," + "\n" +
@"    ""discoveryEndpoint"": ""https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration""" + "\n" +
@"}";
request.AddStringBody(body, DataFormat.Json);
RestResponse response = await client.ExecuteAsync(request);
Console.WriteLine(response.Content);
package main

import (
  "fmt"
  "strings"
  "net/http"
  "io"
)

func main() {

  url := "{{apiPath}}/environments/{{destinationEnvID}}/identityProviders"
  method := "POST"

  payload := strings.NewReader(`{
    "description": "Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "name": "OpenIDConnectIdP_{{$timestamp}}",
    "type": "OPENID_CONNECT",
    "clientId": "{{oidcAppSourceID}}",
    "clientSecret": "{{oidcAppSourceClientSecret}}",
    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
    "scopes": ["openid", "CUSTOM_SCOPE"],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
}`)

  client := &http.Client {
  }
  req, err := http.NewRequest(method, url, payload)

  if err != nil {
    fmt.Println(err)
    return
  }
  req.Header.Add("Content-Type", "application/json")
  req.Header.Add("Authorization", "Bearer {{accessToken}}")

  res, err := client.Do(req)
  if err != nil {
    fmt.Println(err)
    return
  }
  defer res.Body.Close()

  body, err := io.ReadAll(res.Body)
  if err != nil {
    fmt.Println(err)
    return
  }
  fmt.Println(string(body))
}
POST /environments/{{destinationEnvID}}/identityProviders HTTP/1.1
Host: {{apiPath}}
Content-Type: application/json
Authorization: Bearer {{accessToken}}

{
    "description": "Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "name": "OpenIDConnectIdP_{{$timestamp}}",
    "type": "OPENID_CONNECT",
    "clientId": "{{oidcAppSourceID}}",
    "clientSecret": "{{oidcAppSourceClientSecret}}",
    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
    "scopes": ["openid", "CUSTOM_SCOPE"],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
}
OkHttpClient client = new OkHttpClient().newBuilder()
  .build();
MediaType mediaType = MediaType.parse("application/json");
RequestBody body = RequestBody.create(mediaType, "{\n    \"description\": \"Custom OpenID Connect Provider in Destination Env\",\n    \"enabled\": true,\n    \"name\": \"OpenIDConnectIdP_{{$timestamp}}\",\n    \"type\": \"OPENID_CONNECT\",\n    \"clientId\": \"{{oidcAppSourceID}}\",\n    \"clientSecret\": \"{{oidcAppSourceClientSecret}}\",\n    \"authorizationEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/authorize\",\n    \"tokenEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/token\",\n    \"userInfoEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/userinfo\",\n    \"jwksEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/jwks\",\n    \"issuer\": \"https://auth.pingone.com/{{SourceEnvID}}/as\",\n    \"scopes\": [\"openid\", \"CUSTOM_SCOPE\"],\n    \"tokenEndpointAuthMethod\": \"CLIENT_SECRET_BASIC\",\n    \"discoveryEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration\"\n}");
Request request = new Request.Builder()
  .url("{{apiPath}}/environments/{{destinationEnvID}}/identityProviders")
  .method("POST", body)
  .addHeader("Content-Type", "application/json")
  .addHeader("Authorization", "Bearer {{accessToken}}")
  .build();
Response response = client.newCall(request).execute();
var settings = {
  "url": "{{apiPath}}/environments/{{destinationEnvID}}/identityProviders",
  "method": "POST",
  "timeout": 0,
  "headers": {
    "Content-Type": "application/json",
    "Authorization": "Bearer {{accessToken}}"
  },
  "data": JSON.stringify({
    "description": "Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "name": "OpenIDConnectIdP_{{$timestamp}}",
    "type": "OPENID_CONNECT",
    "clientId": "{{oidcAppSourceID}}",
    "clientSecret": "{{oidcAppSourceClientSecret}}",
    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
    "scopes": [
      "openid",
      "CUSTOM_SCOPE"
    ],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
  }),
};

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require('request');
var options = {
  'method': 'POST',
  'url': '{{apiPath}}/environments/{{destinationEnvID}}/identityProviders',
  'headers': {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer {{accessToken}}'
  },
  body: JSON.stringify({
    "description": "Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "name": "OpenIDConnectIdP_{{$timestamp}}",
    "type": "OPENID_CONNECT",
    "clientId": "{{oidcAppSourceID}}",
    "clientSecret": "{{oidcAppSourceClientSecret}}",
    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
    "scopes": [
      "openid",
      "CUSTOM_SCOPE"
    ],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
  })

};
request(options, function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body);
});
import requests
import json

url = "{{apiPath}}/environments/{{destinationEnvID}}/identityProviders"

payload = json.dumps({
  "description": "Custom OpenID Connect Provider in Destination Env",
  "enabled": True,
  "name": "OpenIDConnectIdP_{{$timestamp}}",
  "type": "OPENID_CONNECT",
  "clientId": "{{oidcAppSourceID}}",
  "clientSecret": "{{oidcAppSourceClientSecret}}",
  "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
  "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
  "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
  "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
  "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
  "scopes": [
    "openid",
    "CUSTOM_SCOPE"
  ],
  "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
  "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
})
headers = {
  'Content-Type': 'application/json',
  'Authorization': 'Bearer {{accessToken}}'
}

response = requests.request("POST", url, headers=headers, data=payload)

print(response.text)
<?php
require_once 'HTTP/Request2.php';
$request = new HTTP_Request2();
$request->setUrl('{{apiPath}}/environments/{{destinationEnvID}}/identityProviders');
$request->setMethod(HTTP_Request2::METHOD_POST);
$request->setConfig(array(
  'follow_redirects' => TRUE
));
$request->setHeader(array(
  'Content-Type' => 'application/json',
  'Authorization' => 'Bearer {{accessToken}}'
));
$request->setBody('{\n    "description": "Custom OpenID Connect Provider in Destination Env",\n    "enabled": true,\n    "name": "OpenIDConnectIdP_{{$timestamp}}",\n    "type": "OPENID_CONNECT",\n    "clientId": "{{oidcAppSourceID}}",\n    "clientSecret": "{{oidcAppSourceClientSecret}}",\n    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",\n    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",\n    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",\n    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",\n    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",\n    "scopes": ["openid", "CUSTOM_SCOPE"],\n    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",\n    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"\n}');
try {
  $response = $request->send();
  if ($response->getStatus() == 200) {
    echo $response->getBody();
  }
  else {
    echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' .
    $response->getReasonPhrase();
  }
}
catch(HTTP_Request2_Exception $e) {
  echo 'Error: ' . $e->getMessage();
}
require "uri"
require "json"
require "net/http"

url = URI("{{apiPath}}/environments/{{destinationEnvID}}/identityProviders")

http = Net::HTTP.new(url.host, url.port);
request = Net::HTTP::Post.new(url)
request["Content-Type"] = "application/json"
request["Authorization"] = "Bearer {{accessToken}}"
request.body = JSON.dump({
  "description": "Custom OpenID Connect Provider in Destination Env",
  "enabled": true,
  "name": "OpenIDConnectIdP_{{\$timestamp}}",
  "type": "OPENID_CONNECT",
  "clientId": "{{oidcAppSourceID}}",
  "clientSecret": "{{oidcAppSourceClientSecret}}",
  "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
  "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
  "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
  "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
  "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
  "scopes": [
    "openid",
    "CUSTOM_SCOPE"
  ],
  "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
  "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
})

response = http.request(request)
puts response.read_body
let parameters = "{\n    \"description\": \"Custom OpenID Connect Provider in Destination Env\",\n    \"enabled\": true,\n    \"name\": \"OpenIDConnectIdP_{{$timestamp}}\",\n    \"type\": \"OPENID_CONNECT\",\n    \"clientId\": \"{{oidcAppSourceID}}\",\n    \"clientSecret\": \"{{oidcAppSourceClientSecret}}\",\n    \"authorizationEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/authorize\",\n    \"tokenEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/token\",\n    \"userInfoEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/userinfo\",\n    \"jwksEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/jwks\",\n    \"issuer\": \"https://auth.pingone.com/{{SourceEnvID}}/as\",\n    \"scopes\": [\"openid\", \"CUSTOM_SCOPE\"],\n    \"tokenEndpointAuthMethod\": \"CLIENT_SECRET_BASIC\",\n    \"discoveryEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration\"\n}"
let postData = parameters.data(using: .utf8)

var request = URLRequest(url: URL(string: "{{apiPath}}/environments/{{destinationEnvID}}/identityProviders")!,timeoutInterval: Double.infinity)
request.addValue("application/json", forHTTPHeaderField: "Content-Type")
request.addValue("Bearer {{accessToken}}", forHTTPHeaderField: "Authorization")

request.httpMethod = "POST"
request.httpBody = postData

let task = URLSession.shared.dataTask(with: request) { data, response, error in
  guard let data = data else {
    print(String(describing: error))
    return
  }
  print(String(data: data, encoding: .utf8)!)
}

task.resume()

Example Response

201 Created

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/identityProviders/f54ae957-cfea-4252-a93d-ae42cbdbb212"
        },
        "environment": {
            "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6"
        },
        "attributes": {
            "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/identityProviders/f54ae957-cfea-4252-a93d-ae42cbdbb212/attributes"
        }
    },
    "id": "f54ae957-cfea-4252-a93d-ae42cbdbb212",
    "type": "OPENID_CONNECT",
    "name": "OpenIDConnectIdP",
    "description": "Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "environment": {
        "id": "abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6"
    },
    "createdAt": "2023-10-24T17:18:02.908Z",
    "updatedAt": "2023-10-24T17:18:02.908Z",
    "tokenEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/token",
    "clientId": "b8716b73-4e81-4efd-a9e0-1113c91499cf",
    "jwksEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/jwks",
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "clientSecret": "2ftfPBMwaMBCUp7HlV6gjm_tg9chPtvdGACD0o5UExE94OpgB8N4E9FQyu9kSo2j",
    "discoveryEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/.well-known/openid-configuration",
    "scopes": [
        "openid",
        "CUSTOM_SCOPE"
    ],
    "userInfoEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/userinfo",
    "authorizationEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/authorize",
    "issuer": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as"
}