DEV Community

DarkEdges
DarkEdges

Posted on

Service Accounts with PingAM

Ping One Advanced Identity Cloud allows the creation of Service Accounts to access their services, but the process is hidden behind their root realm. This is an attempt to replicate that process for PingAM so that you can understand how to replicated it if required.

Create a Service Account

For this we need to create an OAuth2 Client in the root realm that has

  • a Public Client Type.
  • our required scopes.
  • a JWT Bearer Grant Type.
  • a private_key_jwt Token Endpoint Authentication Method.

For that perform the following

  1. Connect to your PingAM instance and log in as an admin user.
  2. Go to Applications -> OAuth 2.0 -> Clients and click Add Client
  3. Provide the following details and click the Create button.

    Key Value
    Client ID service-account
    Scope(s) fr:idm:*

    New OAuth 2.0 Client

  4. On the Core tab provide the following details and click Save Changes

    Key Value
    Client Type Public

    OAuth 2.0 Client details

  5. in the Advanced tab provide the following details and click Save Changes

    Key Value
    Grant Types JWT Bearer

    example OAuth 2.0 Client

Create a Trusted JWT Issuer

For this we need to generate a JWKS so that we can use the Public Key in the Trusted JWT Issuer being generated. For this go to https://mkjwk.org/ and select the follwoing values and then click GenerJJJJJJJate

Key Value
Key Size 2048
Key Usage Signature
Algorithm RS256:RSA

Generated JWKS

We will use the Private Key in the Postman request later.

{
    "p": "8lQvHToOl4D48pRnva_CXNBbhMt-5ctgDBy3cATu3rDYY8ohdv-2wvR0ldQatHF32OVTGlPDgjpoFbl4slPlM89EfVEerhfSBodfLtO7ZXZdStFWSbyd5JtqIyofSpVUfW1nVBqaVG3SH8Z01O3zoIMjMSxKKY5-1P46KNr72Tk",
    "kty": "RSA",
    "q": "3ZqYHsyQbaDwuhtDd7iIoV9b6870kXSP_ldKHopteioPDMmNY1ADyWc_iOrUlFr8AX517X-8oY-qgYdXqCafaBJkGjDHzQ7N6lIdkUa178ArH61rOjPeiQKhz_0_y2INMfbOZ0CYILl698g6gnu6AQSOLlKCb1eRNEYgzwtAD0k",
    "d": "bn2veNUlEBOFqii2wF6iBTtbvoXQpE0z6oqCrUyWY7U87fySjeyvv4zH0s76rv2m6Rw0N56mzhVyq_KfB1oW4V411_qHPyT_XeTCfUYXvIyQ3vPsw581T7if9jB4GvQ4Y2E51j_rFKoDF123ukBZmgkTjRcvsfTTpvvr0H-GgPc1mw6lKUwoCZlsjSuWE5_4xqcgUnetvRbdWeWYPkH2ZIMu43i8KS8dYh5UlN_wUJWEBZid9cA6Kwq4q9VD2jpy-xMpHRAa8HvWoUaXNwxAdEMOfDlnE3l__UweBEs7tjQpLHv9Qvya5GY4k83RSHgSbGVFBtUp5vLyaNqlCxZKAQ",
    "e": "AQAB",
    "use": "sig",
    "qi": "l8CIew3kKRvec7ddzeg3bpP5i01Rtoh6M9i0_duZP80kDFqgRYCO-h-F6dWpRTtwtMZCP68vBVcAOPIDsAGpM-keF8EaFaSiuZbm66-qd266ojYD6yBsZl9VPwlSVJp5UFk0E3OOwa5xYoI1XMb83XlGO4_qWSHtuJPPfHyxVKo",
    "dp": "s6apjxddfgBFj0Fqb3v_seNeFeLvXtkZiaE4dTmTBVFB-yj9CkWlbn7gd7tZWPDOEuRgaaIzzTYTuBdaXYpI39IHSoh7IEHUmLZ_YC3kPeI0Y6UyPVQyEisN0qgFrrtqedpDwlw-kd0g7CGqt7j45sSRsIDPMmPLr4gSAfvmvjE",
    "alg": "RS256",
    "dq": "AS74LQHuq4c2gefvXk5P_Hyj4wiB6dzzf-o7bRpUJ1jeJ7VT2fntaz_v6O1IIVqzCdcBDjmmaj54LKTqZO1_4HBotHMaPhAcLWou2j3EbvlZwZuNfQwV3ilzb8bsdkuZwnCM_aQsq9ARxgz9swCyJ5s8nya1p56SGfNd7X0j5HE",
    "n": "0cUDT7YuMiLtacUI6D_axU4kYcizPs_yLLi5_dvWWp7iibYU17XxBX3jo2FWqb1b8viQbrooyxxsdjhxY-qg-3gxSb9Tqi8YZ7xedxNRmHICVwKjU5AsfO3nEs9l1QTy8eRVIbYWV15UX-FC6_Ke1qsVdo64GmAIv90EbExY_tzmUPAsICRW_QWLgu_BpxtTbjAqIjF-pEuaF3ny-K8k312HDVyfHcyDljp8-3uS9mGdPuru5XalkFLPqc8a70NEpqw97IWKC-sLHEUavSVFUSNIQfGnobPs7RoYLW6hODnfGIu2AlZ0NjNhb4ae8xd-UohjUp270GJz6FDd9MtIQQ"
}
Enter fullscreen mode Exit fullscreen mode

Take the Public Key and wrap it as follows

{
    "keys": [
{
    "kty": "RSA",
    "e": "AQAB",
    "use": "sig",
    "alg": "RS256",
    "n": "0cUDT7YuMiLtacUI6D_axU4kYcizPs_yLLi5_dvWWp7iibYU17XxBX3jo2FWqb1b8viQbrooyxxsdjhxY-qg-3gxSb9Tqi8YZ7xedxNRmHICVwKjU5AsfO3nEs9l1QTy8eRVIbYWV15UX-FC6_Ke1qsVdo64GmAIv90EbExY_tzmUPAsICRW_QWLgu_BpxtTbjAqIjF-pEuaF3ny-K8k312HDVyfHcyDljp8-3uS9mGdPuru5XalkFLPqc8a70NEpqw97IWKC-sLHEUavSVFUSNIQfGnobPs7RoYLW6hODnfGIu2AlZ0NjNhb4ae8xd-UohjUp270GJz6FDd9MtIQQ"
}
    ]
}
Enter fullscreen mode Exit fullscreen mode

Next we can create the Trusted JWT Issuer.

  1. Connect to your PingAM instance and log in as an admin user.
  2. Go to Applications -> OAuth 2.0 -> Trusted JWT Issuer and click Add Trusted JWT Issuer agent
  3. Provide the following values and click Create

    Key Value
    Agent ID d4f14c26-3d9b-47ed-9dcb-b2ce62c55af6
    JWT Issuer d4f14c26-3d9b-47ed-9dcb-b2ce62c55af6
  4. Provide the following values and click Save Changes

    Key Value
    JWK Set Use the Public key created above
    Allowed Subjects d4f14c26-3d9b-47ed-9dcb-b2ce62c55af6

Example JWT Trusted Issuer

Get an Access Token

For this we need to fork https://www.postman.com/nirving/pingam/collection/v5rxj4t/service-account?action=share&creator=761710&active-environment=761710-8d8b3e02-a9bb-4ed1-af41-4cc75a7faeed

  1. Select get PostMan Lib code and click Send

  2. Update the value for AUD to be the coorect value for accessing your realm. An example is https://fram.example.com/openam/oauth2/access_token

  3. When done click the send button and the folowing should be returned.

    {
        "access_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiIvYXBYSkQ5RWp2MWV1VXZpdGcyMjNVVkdWRFU9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIodXNyIWQ0ZjE0YzI2LTNkOWItNDdlZC05ZGNiLWIyY2U2MmM1NWFmNikiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXVkaXRUcmFja2luZ0lkIjoiZWIyNmMwYTktYTI4Zi00ZTFkLTk1M2QtNDdjMzkwNGI4MDUwLTMxMjkiLCJzdWJuYW1lIjoiZDRmMTRjMjYtM2Q5Yi00N2VkLTlkY2ItYjJjZTYyYzU1YWY2IiwiaXNzIjoiaHR0cHM6Ly9mcmFtLmNvbm5lY3RpZC5kYXJrZWRnZXMuY29tL29wZW5hbS9vYXV0aDIiLCJ0b2tlbk5hbWUiOiJhY2Nlc3NfdG9rZW4iLCJ0b2tlbl90eXBlIjoiQmVhcmVyIiwiYXV0aEdyYW50SWQiOiJqYmZVaE13a1UwM250cFNHb2RMMjNmLWpTZUUiLCJhdWQiOiJzZXJ2aWNlLWFjY291bnQiLCJuYmYiOjE3Mzc5MzYyNjcsImdyYW50X3R5cGUiOiJ1cm46aWV0ZjpwYXJhbXM6b2F1dGg6Z3JhbnQtdHlwZTpqd3QtYmVhcmVyIiwic2NvcGUiOlsiZnI6aWRtOioiXSwiYXV0aF90aW1lIjotMSwicmVhbG0iOiIvY29ubmVjdGlkIiwiZXhwIjoxNzM3OTM5ODY3LCJpYXQiOjE3Mzc5MzYyNjcsImV4cGlyZXNfaW4iOjM2MDAsImp0aSI6IjA3MWxXRkpCNktaZWkyNWFkd29pbVZ5Zm9CayJ9.CYHjnNHhMY2g91NlJl0wjXcRMGe0wT74E43PVDecrGwJ8BBME02gSNHJDYcuR3ndph3u10Jlrq3lFsSL3hbceRoUgOP0Xzi5ReMLaDZJrONT0cwTe9hsmg9ePkohMDPlRdjvrYcWBom8s6Ls4E2S2cZ-Tv3SJrJ7IUvvndma4U-J7iIhhz1i3r3ulyxElIuMBA40ngRQkt9zrI77qRRkgU9l4Rsh1uDy3S2HCcVTGVCw_4P9L3cDvlAeaW3YQ9Q2OwIjWtBonEMpgTefryE6Gpa6Rx7BHyyM641CyGsDZ3fYsLrpDgb5RUX6awGlXAZ2HnzBZiyEj5dmth71KaAqQA",
        "scope": "fr:idm:*",
        "token_type": "Bearer",
        "expires_in": 3599
    }
    

    Example of Postman getting an Access Token!

Conclusion

This illustrates the Service Account basics. In the next post we will add support for Custom Scopes and how to assign them to individual Service Accounts.

Heroku

Build apps, not infrastructure.

Dealing with servers, hardware, and infrastructure can take up your valuable time. Discover the benefits of Heroku, the PaaS of choice for developers since 2007.

Visit Site

Top comments (0)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay