Working with grants


Grants

Grants allow you to assign scopes to an application. For example, a request to the POST /environments/{envId}/applications/{appId}/grants endpoint specifies the application ID in the request URL, which designate the application to which the resource access grant is applied. The request body specifies the resource ID (the resource associated with the application) and the list of scope IDs to associate with the application.

Important: If you do not assign at least one scope to your application through a resource access grant, the application cannot access any resources. Furthermore, its client_id and client_secret property values cannot be used to generate access tokens for the application.

Get resource access grants

The GET /environments/{envId}/applications/{appId}/grants endpoint returns a list of all grants associated with the specified application resource.

curl -X "GET" "https://api.pingone.com/v1/environments/0bda42bc-d54f-449f-8d46-d5b8990c43ba/applications/4d5293f4-08a0-4fc6-a767-bf049230f5fe/grants" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken'

The response data looks like this:

{
    "_links": {
        "self": {
            "href": "https://api.pingone.com/v1/environments/0bda42bc-d54f-449f-8d46-d5b8990c43ba/applications/4d5293f4-08a0-4fc6-a767-bf049230f5fe/grants"
        }
    },
    "_embedded": {
        "grants": []
    },
    "count": 0,
    "size": 0
}

To get data for a single grant associated with a specified application resource , the GET /environments/{envId}/applications/{appId}/grants/{id} operation returns data for the grant resource with the specified ID.

curl -X GET "https://api.pingone.com//v1/environments/0bda42bc-d54f-449f-8d46-d5b8990c43ba/applications/4d5293f4-08a0-4fc6-a767-bf049230f5fe/grants/{id}" \
-H "Content-type: application/json" \
-H "Authorization: Bearer jwtToken"

Granting scopes to an application

Note: This operation is not supported in this release.

The following sample shows the POST /environments/{envId}/resources/{resId}/grants operation to assign scopes to an application.

curl -X "POST" "https://api.pingone.com/v1/environments/58f92121-b753-4e7e-8d82-23b5bf80efe5/applications/{appId}/grants/" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
  "resource": {
    "id": "{resourceID}"
  },
  "scopes": [ "{scopeID}", ... ]
}'

You can call GET /environments/{envId}/resources to get a list of resource IDs associated with the specified environment. In addition, you can call `GET /environments/{envId}/scopes`` to get a list of scope IDs for the specified environment.

Note: When making an OAuth request, only self scopes are included in the access token when using the IMPLICIT or AUTHORIZATION_CODE grant types (for example, p1:read:self:user and p1:update:self:user). Only the environment scopes (non self scopes) are included in the access token when using the CLIENT_CREDENTIALS grant type. For more information about grant types, see Getting started.