Ping One Advanced Identity Cloud allows the creation of Service Accounts to access their services, but the process is hidden behind their root realm. This is an attempt to replicate that process for PingAM so that you can understand how to replicated it if required.
Create a Service Account
For this we need to create an OAuth2 Client in the root
realm that has
- a
Public
Client Type. - our required scopes.
- a
JWT Bearer
Grant Type. - a
private_key_jwt
Token Endpoint Authentication Method.
For that perform the following
- Connect to your PingAM instance and log in as an admin user.
- Go to
Applications
->OAuth 2.0
->Clients
and clickAdd Client
-
Provide the following details and click the
Create
button.Key Value Client ID service-account
Scope(s) fr:idm:*
-
On the
Core
tab provide the following details and clickSave Changes
Key Value Client Type Public
-
in the
Advanced
tab provide the following details and clickSave Changes
Key Value Grant Types JWT Bearer
Create a Trusted JWT Issuer
For this we need to generate a JWKS so that we can use the Public Key in the Trusted JWT Issuer
being generated. For this go to https://mkjwk.org/ and select the follwoing values and then click GenerJJJJJJJate
Key | Value |
---|---|
Key Size | 2048 |
Key Usage | Signature |
Algorithm | RS256:RSA |
We will use the Private Key
in the Postman request later.
{
"p": "8lQvHToOl4D48pRnva_CXNBbhMt-5ctgDBy3cATu3rDYY8ohdv-2wvR0ldQatHF32OVTGlPDgjpoFbl4slPlM89EfVEerhfSBodfLtO7ZXZdStFWSbyd5JtqIyofSpVUfW1nVBqaVG3SH8Z01O3zoIMjMSxKKY5-1P46KNr72Tk",
"kty": "RSA",
"q": "3ZqYHsyQbaDwuhtDd7iIoV9b6870kXSP_ldKHopteioPDMmNY1ADyWc_iOrUlFr8AX517X-8oY-qgYdXqCafaBJkGjDHzQ7N6lIdkUa178ArH61rOjPeiQKhz_0_y2INMfbOZ0CYILl698g6gnu6AQSOLlKCb1eRNEYgzwtAD0k",
"d": "bn2veNUlEBOFqii2wF6iBTtbvoXQpE0z6oqCrUyWY7U87fySjeyvv4zH0s76rv2m6Rw0N56mzhVyq_KfB1oW4V411_qHPyT_XeTCfUYXvIyQ3vPsw581T7if9jB4GvQ4Y2E51j_rFKoDF123ukBZmgkTjRcvsfTTpvvr0H-GgPc1mw6lKUwoCZlsjSuWE5_4xqcgUnetvRbdWeWYPkH2ZIMu43i8KS8dYh5UlN_wUJWEBZid9cA6Kwq4q9VD2jpy-xMpHRAa8HvWoUaXNwxAdEMOfDlnE3l__UweBEs7tjQpLHv9Qvya5GY4k83RSHgSbGVFBtUp5vLyaNqlCxZKAQ",
"e": "AQAB",
"use": "sig",
"qi": "l8CIew3kKRvec7ddzeg3bpP5i01Rtoh6M9i0_duZP80kDFqgRYCO-h-F6dWpRTtwtMZCP68vBVcAOPIDsAGpM-keF8EaFaSiuZbm66-qd266ojYD6yBsZl9VPwlSVJp5UFk0E3OOwa5xYoI1XMb83XlGO4_qWSHtuJPPfHyxVKo",
"dp": "s6apjxddfgBFj0Fqb3v_seNeFeLvXtkZiaE4dTmTBVFB-yj9CkWlbn7gd7tZWPDOEuRgaaIzzTYTuBdaXYpI39IHSoh7IEHUmLZ_YC3kPeI0Y6UyPVQyEisN0qgFrrtqedpDwlw-kd0g7CGqt7j45sSRsIDPMmPLr4gSAfvmvjE",
"alg": "RS256",
"dq": "AS74LQHuq4c2gefvXk5P_Hyj4wiB6dzzf-o7bRpUJ1jeJ7VT2fntaz_v6O1IIVqzCdcBDjmmaj54LKTqZO1_4HBotHMaPhAcLWou2j3EbvlZwZuNfQwV3ilzb8bsdkuZwnCM_aQsq9ARxgz9swCyJ5s8nya1p56SGfNd7X0j5HE",
"n": "0cUDT7YuMiLtacUI6D_axU4kYcizPs_yLLi5_dvWWp7iibYU17XxBX3jo2FWqb1b8viQbrooyxxsdjhxY-qg-3gxSb9Tqi8YZ7xedxNRmHICVwKjU5AsfO3nEs9l1QTy8eRVIbYWV15UX-FC6_Ke1qsVdo64GmAIv90EbExY_tzmUPAsICRW_QWLgu_BpxtTbjAqIjF-pEuaF3ny-K8k312HDVyfHcyDljp8-3uS9mGdPuru5XalkFLPqc8a70NEpqw97IWKC-sLHEUavSVFUSNIQfGnobPs7RoYLW6hODnfGIu2AlZ0NjNhb4ae8xd-UohjUp270GJz6FDd9MtIQQ"
}
Take the Public Key
and wrap it as follows
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"alg": "RS256",
"n": "0cUDT7YuMiLtacUI6D_axU4kYcizPs_yLLi5_dvWWp7iibYU17XxBX3jo2FWqb1b8viQbrooyxxsdjhxY-qg-3gxSb9Tqi8YZ7xedxNRmHICVwKjU5AsfO3nEs9l1QTy8eRVIbYWV15UX-FC6_Ke1qsVdo64GmAIv90EbExY_tzmUPAsICRW_QWLgu_BpxtTbjAqIjF-pEuaF3ny-K8k312HDVyfHcyDljp8-3uS9mGdPuru5XalkFLPqc8a70NEpqw97IWKC-sLHEUavSVFUSNIQfGnobPs7RoYLW6hODnfGIu2AlZ0NjNhb4ae8xd-UohjUp270GJz6FDd9MtIQQ"
}
]
}
Next we can create the Trusted JWT Issuer
.
- Connect to your PingAM instance and log in as an admin user.
- Go to
Applications
->OAuth 2.0
->Trusted JWT Issuer
and clickAdd Trusted JWT Issuer agent
-
Provide the following values and click
Create
Key Value Agent ID d4f14c26-3d9b-47ed-9dcb-b2ce62c55af6
JWT Issuer d4f14c26-3d9b-47ed-9dcb-b2ce62c55af6
-
Provide the following values and click
Save Changes
Key Value JWK Set Use the Public key created above Allowed Subjects d4f14c26-3d9b-47ed-9dcb-b2ce62c55af6
Get an Access Token
For this we need to fork https://www.postman.com/nirving/pingam/collection/v5rxj4t/service-account?action=share&creator=761710&active-environment=761710-8d8b3e02-a9bb-4ed1-af41-4cc75a7faeed
Select
get PostMan Lib code
and clickSend
Update the value for
AUD
to be the coorect value for accessing your realm. An example ishttps://fram.example.com/openam/oauth2/access_token
-
When done click the
send
button and the folowing should be returned.
{ "access_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiIvYXBYSkQ5RWp2MWV1VXZpdGcyMjNVVkdWRFU9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIodXNyIWQ0ZjE0YzI2LTNkOWItNDdlZC05ZGNiLWIyY2U2MmM1NWFmNikiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXVkaXRUcmFja2luZ0lkIjoiZWIyNmMwYTktYTI4Zi00ZTFkLTk1M2QtNDdjMzkwNGI4MDUwLTMxMjkiLCJzdWJuYW1lIjoiZDRmMTRjMjYtM2Q5Yi00N2VkLTlkY2ItYjJjZTYyYzU1YWY2IiwiaXNzIjoiaHR0cHM6Ly9mcmFtLmNvbm5lY3RpZC5kYXJrZWRnZXMuY29tL29wZW5hbS9vYXV0aDIiLCJ0b2tlbk5hbWUiOiJhY2Nlc3NfdG9rZW4iLCJ0b2tlbl90eXBlIjoiQmVhcmVyIiwiYXV0aEdyYW50SWQiOiJqYmZVaE13a1UwM250cFNHb2RMMjNmLWpTZUUiLCJhdWQiOiJzZXJ2aWNlLWFjY291bnQiLCJuYmYiOjE3Mzc5MzYyNjcsImdyYW50X3R5cGUiOiJ1cm46aWV0ZjpwYXJhbXM6b2F1dGg6Z3JhbnQtdHlwZTpqd3QtYmVhcmVyIiwic2NvcGUiOlsiZnI6aWRtOioiXSwiYXV0aF90aW1lIjotMSwicmVhbG0iOiIvY29ubmVjdGlkIiwiZXhwIjoxNzM3OTM5ODY3LCJpYXQiOjE3Mzc5MzYyNjcsImV4cGlyZXNfaW4iOjM2MDAsImp0aSI6IjA3MWxXRkpCNktaZWkyNWFkd29pbVZ5Zm9CayJ9.CYHjnNHhMY2g91NlJl0wjXcRMGe0wT74E43PVDecrGwJ8BBME02gSNHJDYcuR3ndph3u10Jlrq3lFsSL3hbceRoUgOP0Xzi5ReMLaDZJrONT0cwTe9hsmg9ePkohMDPlRdjvrYcWBom8s6Ls4E2S2cZ-Tv3SJrJ7IUvvndma4U-J7iIhhz1i3r3ulyxElIuMBA40ngRQkt9zrI77qRRkgU9l4Rsh1uDy3S2HCcVTGVCw_4P9L3cDvlAeaW3YQ9Q2OwIjWtBonEMpgTefryE6Gpa6Rx7BHyyM641CyGsDZ3fYsLrpDgb5RUX6awGlXAZ2HnzBZiyEj5dmth71KaAqQA", "scope": "fr:idm:*", "token_type": "Bearer", "expires_in": 3599 }
Conclusion
This illustrates the Service Account basics. In the next post we will add support for Custom Scopes and how to assign them to individual Service Accounts.
Top comments (0)