PingOne Platform APIs

Step 5: Create OIDC IdP in destination environment

   

POST {{apiPath}}/environments/{{destinationEnvID}}/identityProviders

Create a new OIDC identity provider in the destination environment using a POST {{apiPath}}/environments/{{destinationEnvID}}/identityProviders request.

  • In the request body, the IdP name must be unique to the environment.

  • Set clientId to the UUID of the application you created in step 3.

  • Set clientSecret to the value returned in step 4.

  • The discoveryEndpoint in the request body is the discovery endpoint for the source environment.

Refer to the example request body for other required properties. The response returns an identity provider ID that you’ll use in the next steps.

Headers

Authorization      Bearer {{accessToken}}

Content-Type      application/json

Body

raw ( application/json )

{
    "description": "New Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "name": "IdentityProvider_{{$timestamp}}",
    "type": "OPENID_CONNECT",
    "clientId": "{{oidcAppSourceID}}",
    "clientSecret": "{{oidcAppSourceClientSecret}}",
    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
    "scopes": ["openid", "CUSTOM_SCOPE"],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
}

Example Request

  • cURL

  • C#

  • Go

  • HTTP

  • Java

  • jQuery

  • NodeJS

  • Python

  • PHP

  • Ruby

  • Swift

curl --location --globoff '{{apiPath}}/environments/{{destinationEnvID}}/identityProviders' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{accessToken}}' \
--data '{
    "description": "New Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "name": "IdentityProvider_{{$timestamp}}",
    "type": "OPENID_CONNECT",
    "clientId": "{{oidcAppSourceID}}",
    "clientSecret": "{{oidcAppSourceClientSecret}}",
    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
    "scopes": ["openid", "CUSTOM_SCOPE"],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
}'
var options = new RestClientOptions("{{apiPath}}/environments/{{destinationEnvID}}/identityProviders")
{
  MaxTimeout = -1,
};
var client = new RestClient(options);
var request = new RestRequest("", Method.Post);
request.AddHeader("Content-Type", "application/json");
request.AddHeader("Authorization", "Bearer {{accessToken}}");
var body = @"{" + "\n" +
@"    ""description"": ""New Custom OpenID Connect Provider in Destination Env""," + "\n" +
@"    ""enabled"": true," + "\n" +
@"    ""name"": ""IdentityProvider_{{$timestamp}}""," + "\n" +
@"    ""type"": ""OPENID_CONNECT""," + "\n" +
@"    ""clientId"": ""{{oidcAppSourceID}}""," + "\n" +
@"    ""clientSecret"": ""{{oidcAppSourceClientSecret}}""," + "\n" +
@"    ""authorizationEndpoint"": ""https://auth.pingone.com/{{SourceEnvID}}/as/authorize""," + "\n" +
@"    ""tokenEndpoint"": ""https://auth.pingone.com/{{SourceEnvID}}/as/token""," + "\n" +
@"    ""userInfoEndpoint"": ""https://auth.pingone.com/{{SourceEnvID}}/as/userinfo""," + "\n" +
@"    ""jwksEndpoint"": ""https://auth.pingone.com/{{SourceEnvID}}/as/jwks""," + "\n" +
@"    ""issuer"": ""https://auth.pingone.com/{{SourceEnvID}}/as""," + "\n" +
@"    ""scopes"": [""openid"", ""CUSTOM_SCOPE""]," + "\n" +
@"    ""tokenEndpointAuthMethod"": ""CLIENT_SECRET_BASIC""," + "\n" +
@"    ""discoveryEndpoint"": ""https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration""" + "\n" +
@"}";
request.AddStringBody(body, DataFormat.Json);
RestResponse response = await client.ExecuteAsync(request);
Console.WriteLine(response.Content);
package main

import (
  "fmt"
  "strings"
  "net/http"
  "io"
)

func main() {

  url := "{{apiPath}}/environments/{{destinationEnvID}}/identityProviders"
  method := "POST"

  payload := strings.NewReader(`{
    "description": "New Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "name": "IdentityProvider_{{$timestamp}}",
    "type": "OPENID_CONNECT",
    "clientId": "{{oidcAppSourceID}}",
    "clientSecret": "{{oidcAppSourceClientSecret}}",
    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
    "scopes": ["openid", "CUSTOM_SCOPE"],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
}`)

  client := &http.Client {
  }
  req, err := http.NewRequest(method, url, payload)

  if err != nil {
    fmt.Println(err)
    return
  }
  req.Header.Add("Content-Type", "application/json")
  req.Header.Add("Authorization", "Bearer {{accessToken}}")

  res, err := client.Do(req)
  if err != nil {
    fmt.Println(err)
    return
  }
  defer res.Body.Close()

  body, err := io.ReadAll(res.Body)
  if err != nil {
    fmt.Println(err)
    return
  }
  fmt.Println(string(body))
}
POST /environments/{{destinationEnvID}}/identityProviders HTTP/1.1
Host: {{apiPath}}
Content-Type: application/json
Authorization: Bearer {{accessToken}}

{
    "description": "New Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "name": "IdentityProvider_{{$timestamp}}",
    "type": "OPENID_CONNECT",
    "clientId": "{{oidcAppSourceID}}",
    "clientSecret": "{{oidcAppSourceClientSecret}}",
    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
    "scopes": ["openid", "CUSTOM_SCOPE"],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
}
OkHttpClient client = new OkHttpClient().newBuilder()
  .build();
MediaType mediaType = MediaType.parse("application/json");
RequestBody body = RequestBody.create(mediaType, "{\n    \"description\": \"New Custom OpenID Connect Provider in Destination Env\",\n    \"enabled\": true,\n    \"name\": \"IdentityProvider_{{$timestamp}}\",\n    \"type\": \"OPENID_CONNECT\",\n    \"clientId\": \"{{oidcAppSourceID}}\",\n    \"clientSecret\": \"{{oidcAppSourceClientSecret}}\",\n    \"authorizationEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/authorize\",\n    \"tokenEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/token\",\n    \"userInfoEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/userinfo\",\n    \"jwksEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/jwks\",\n    \"issuer\": \"https://auth.pingone.com/{{SourceEnvID}}/as\",\n    \"scopes\": [\"openid\", \"CUSTOM_SCOPE\"],\n    \"tokenEndpointAuthMethod\": \"CLIENT_SECRET_BASIC\",\n    \"discoveryEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration\"\n}");
Request request = new Request.Builder()
  .url("{{apiPath}}/environments/{{destinationEnvID}}/identityProviders")
  .method("POST", body)
  .addHeader("Content-Type", "application/json")
  .addHeader("Authorization", "Bearer {{accessToken}}")
  .build();
Response response = client.newCall(request).execute();
var settings = {
  "url": "{{apiPath}}/environments/{{destinationEnvID}}/identityProviders",
  "method": "POST",
  "timeout": 0,
  "headers": {
    "Content-Type": "application/json",
    "Authorization": "Bearer {{accessToken}}"
  },
  "data": JSON.stringify({
    "description": "New Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "name": "IdentityProvider_{{$timestamp}}",
    "type": "OPENID_CONNECT",
    "clientId": "{{oidcAppSourceID}}",
    "clientSecret": "{{oidcAppSourceClientSecret}}",
    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
    "scopes": [
      "openid",
      "CUSTOM_SCOPE"
    ],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
  }),
};

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require('request');
var options = {
  'method': 'POST',
  'url': '{{apiPath}}/environments/{{destinationEnvID}}/identityProviders',
  'headers': {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer {{accessToken}}'
  },
  body: JSON.stringify({
    "description": "New Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "name": "IdentityProvider_{{$timestamp}}",
    "type": "OPENID_CONNECT",
    "clientId": "{{oidcAppSourceID}}",
    "clientSecret": "{{oidcAppSourceClientSecret}}",
    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
    "scopes": [
      "openid",
      "CUSTOM_SCOPE"
    ],
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
  })

};
request(options, function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body);
});
import requests
import json

url = "{{apiPath}}/environments/{{destinationEnvID}}/identityProviders"

payload = json.dumps({
  "description": "New Custom OpenID Connect Provider in Destination Env",
  "enabled": True,
  "name": "IdentityProvider_{{$timestamp}}",
  "type": "OPENID_CONNECT",
  "clientId": "{{oidcAppSourceID}}",
  "clientSecret": "{{oidcAppSourceClientSecret}}",
  "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
  "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
  "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
  "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
  "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
  "scopes": [
    "openid",
    "CUSTOM_SCOPE"
  ],
  "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
  "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
})
headers = {
  'Content-Type': 'application/json',
  'Authorization': 'Bearer {{accessToken}}'
}

response = requests.request("POST", url, headers=headers, data=payload)

print(response.text)
<?php
require_once 'HTTP/Request2.php';
$request = new HTTP_Request2();
$request->setUrl('{{apiPath}}/environments/{{destinationEnvID}}/identityProviders');
$request->setMethod(HTTP_Request2::METHOD_POST);
$request->setConfig(array(
  'follow_redirects' => TRUE
));
$request->setHeader(array(
  'Content-Type' => 'application/json',
  'Authorization' => 'Bearer {{accessToken}}'
));
$request->setBody('{\n    "description": "New Custom OpenID Connect Provider in Destination Env",\n    "enabled": true,\n    "name": "IdentityProvider_{{$timestamp}}",\n    "type": "OPENID_CONNECT",\n    "clientId": "{{oidcAppSourceID}}",\n    "clientSecret": "{{oidcAppSourceClientSecret}}",\n    "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",\n    "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",\n    "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",\n    "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",\n    "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",\n    "scopes": ["openid", "CUSTOM_SCOPE"],\n    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",\n    "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"\n}');
try {
  $response = $request->send();
  if ($response->getStatus() == 200) {
    echo $response->getBody();
  }
  else {
    echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' .
    $response->getReasonPhrase();
  }
}
catch(HTTP_Request2_Exception $e) {
  echo 'Error: ' . $e->getMessage();
}
require "uri"
require "json"
require "net/http"

url = URI("{{apiPath}}/environments/{{destinationEnvID}}/identityProviders")

http = Net::HTTP.new(url.host, url.port);
request = Net::HTTP::Post.new(url)
request["Content-Type"] = "application/json"
request["Authorization"] = "Bearer {{accessToken}}"
request.body = JSON.dump({
  "description": "New Custom OpenID Connect Provider in Destination Env",
  "enabled": true,
  "name": "IdentityProvider_{{\$timestamp}}",
  "type": "OPENID_CONNECT",
  "clientId": "{{oidcAppSourceID}}",
  "clientSecret": "{{oidcAppSourceClientSecret}}",
  "authorizationEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/authorize",
  "tokenEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/token",
  "userInfoEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/userinfo",
  "jwksEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/jwks",
  "issuer": "https://auth.pingone.com/{{SourceEnvID}}/as",
  "scopes": [
    "openid",
    "CUSTOM_SCOPE"
  ],
  "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
  "discoveryEndpoint": "https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration"
})

response = http.request(request)
puts response.read_body
let parameters = "{\n    \"description\": \"New Custom OpenID Connect Provider in Destination Env\",\n    \"enabled\": true,\n    \"name\": \"IdentityProvider_{{$timestamp}}\",\n    \"type\": \"OPENID_CONNECT\",\n    \"clientId\": \"{{oidcAppSourceID}}\",\n    \"clientSecret\": \"{{oidcAppSourceClientSecret}}\",\n    \"authorizationEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/authorize\",\n    \"tokenEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/token\",\n    \"userInfoEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/userinfo\",\n    \"jwksEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/jwks\",\n    \"issuer\": \"https://auth.pingone.com/{{SourceEnvID}}/as\",\n    \"scopes\": [\"openid\", \"CUSTOM_SCOPE\"],\n    \"tokenEndpointAuthMethod\": \"CLIENT_SECRET_BASIC\",\n    \"discoveryEndpoint\": \"https://auth.pingone.com/{{SourceEnvID}}/as/.well-known/openid-configuration\"\n}"
let postData = parameters.data(using: .utf8)

var request = URLRequest(url: URL(string: "{{apiPath}}/environments/{{destinationEnvID}}/identityProviders")!,timeoutInterval: Double.infinity)
request.addValue("application/json", forHTTPHeaderField: "Content-Type")
request.addValue("Bearer {{accessToken}}", forHTTPHeaderField: "Authorization")

request.httpMethod = "POST"
request.httpBody = postData

let task = URLSession.shared.dataTask(with: request) { data, response, error in
  guard let data = data else {
    print(String(describing: error))
    return
  }
  print(String(data: data, encoding: .utf8)!)
}

task.resume()

Example Response

201 Created

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/identityProviders/7314c9df-53eb-4362-b4ae-1c8bdb9b79bd"
        },
        "environment": {
            "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6"
        },
        "attributes": {
            "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/identityProviders/7314c9df-53eb-4362-b4ae-1c8bdb9b79bd/attributes"
        }
    },
    "id": "7314c9df-53eb-4362-b4ae-1c8bdb9b79bd",
    "type": "OPENID_CONNECT",
    "name": "IdentityProvider_1714081434",
    "description": "New Custom OpenID Connect Provider in Destination Env",
    "enabled": true,
    "environment": {
        "id": "abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6"
    },
    "createdAt": "2024-04-25T21:43:53.866Z",
    "updatedAt": "2024-04-25T21:43:53.866Z",
    "tokenEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/token",
    "clientId": "1949ed75-1b8a-47d9-b4a6-a31695668a8d",
    "jwksEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/jwks",
    "tokenEndpointAuthMethod": "CLIENT_SECRET_BASIC",
    "clientSecret": "Hm1.cMbdC-nnmEhhlMe95kt_-dg0Y2e6xRAP-bCDUZEn7V0mOJR7uq~_hc7z1pGP",
    "discoveryEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/.well-known/openid-configuration",
    "scopes": [
        "openid",
        "CUSTOM_SCOPE"
    ],
    "userInfoEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/userinfo",
    "authorizationEndpoint": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as/authorize",
    "issuer": "https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as"
}