This activity shows you how to create a custom resource and a custom resource scope, initiate an authorization request, and use the flow APIs to get a token that allows access to the custom resource.

The following operations are supported by the PingOne APIs:

Workflow order of operations

To get an access token for the custom resource, the following tasks must be completed successfully:

  1. Make a POST request to /environments/{{envID}}/applications to add a new application to the specified environment.

  2. Make a GET request to /environments/{{envID}}/applications/{{appID}}/secret to return the new application’s secret attribute, which is needed for the token request.

  3. Make a POST request to /environments/{{envID}}/resources to define the custom resource.

  4. Make a POST request to /environments/{{envID}}/resources/{{resourceID}}/scopes to define a scope for the custom resource.

  5. Make a POST request to /environments/{{envID}}/applications/{{appID}}/grants to create a new resource access grant for the application.

  6. Make a POST request to /environments/{{envID}}/signOnPolicies to create a new sign-on policy.

  7. Make a POST request to /environments/{{envID}}/signOnPolicies/{{signOnPolicyID}}/actions to define the login action associated with this sign-on policy.

  8. Make a POST request to /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments to associate the sign-on policy with the application.

  9. Make a POST request to /environments/{{envID}}/populations to create a new population.

  10. Make a POST request to /environments/{{envID}}/users to create a user who will be assigned to the new population.

  11. Make a POST request to /environments/{{envID}}/users/{{userID}}/password to set the new user’s password.

  12. Make a GET request to /{{envID}}/as/authorize to obtain an authorization grant. This request starts the authorization flow.

  13. Make a GET request to /{{envID}}/flows/{{flowID}} to initiate the sign-on flow.

  14. To complete the login action, make a POST request to GET /{{envID}}/flows/{{flowID}} and provide the user’s login credentials.

  15. Make a GET request to /{{envID}}/as/resume?flowId={{flowID}} to call the resume endpoint and return the auth code.

  16. Make a POST request to /{{envID}}/as/token to exchange the auth code for an access token.

  17. To verify that the token grants access to the new custom resource, make a POST request to GET /{{envID}}/as/introspect to return the audience and scope information in the token.

Click the Run in Postman button below to download the Postman collection for this use case.

Run in Postman