Application resources define the connection between PingOne and the actual application (also known as a client connection). PingOne supports several application types. When you make a request to define a new application, you must specify the type property that specifies one of the following application types:
Web application
A browser-based application with a server-side component, such as ASP, CGI, JSP/Java, Node.js, or Ruby on Rails applications.
Native application
An application that is installed and run directly on the local operating system, like Java, Objective-C, Swift, or React applications. Native applications are typically intended for native devices.
Single page application
A browser-based application that runs on the front-end with no server-side component, such as Sencha Touch, AngularJS, and React applications. A single page application runs on the client side after it loads, so it cannot keep a client secret.
Non-interactive
A web application that does not require user interaction through the web browser, like a command line interface, a service, or a daemon.
Worker
An administrator application that can interact with platform APIs. Access to platform APIs is determined by the user’s or application’s role assignments.
Platform applications
PingOne creates platform applications (PingOne Admin Console, PingOne Application Portal, PingOne Self-Service - MyAccount, and PingFederate-SSO) when the environment is created. The PingFederate-SSO platform application is created only if the PingOne environment includes PingFederate, and unlike the other platform applications, PingFederate-SSO application information is not returned through a GET request.
The type of application specified determines several key properties, including the resource grant type that can be applied to the application. For example, the following table shows the relationships between the application type attribute and the default grantTypes, response_type, and tokenEndpointAuthMethod attributes.
| Application type | Grant type | Response type | Token endpoint authentication method |
|---|---|---|---|
| Worker/Non-interactive | CLIENT_CREDENTIALS | TOKEN | CLIENT_SECRET_BASIC |
| Native | AUTHORIZATION_CODE, IMPLICIT | TOKEN, ID_TOKEN, CODE | NONE |
| Web | AUTHORIZATION_CODE | CODE | CLIENT_SECRET_BASIC |
| Single-page | IMPLICIT | TOKEN, ID_TOKEN | NONE |
The base endpoint, /environment/{{envID}}/applications, provides endpoint operations to create, read, update, and delete OIDC and SAML application connections. There are POST request examples to show the required properties to create each type of application connection. For more information, see Application Operations.
The secret endpoint, /environments/{{envID}}/applications/{{appID}}/secret, provides endpoint operations to read and update the application’s secret, if the requesting actor has a superset of the application’s role assignments. For more information, see Application Secret.
Applications support the following additional configuration properties:
Application resource grants
The application resource grants endpoint, /environments/{{envID}}/applications/{{appID}}/grants, provides endpoint operations to create, read, update, and delete the resource grant associated with the application connection. For more information, see Application Resource Grants.
Application sign-on policy assignments
The application sign-on policy assignments endpoint, /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments, provides endpoint operations to create, read, update, and delete the sign-on policies associated with the application connection. For more information, see Application Sign-On Policy Assignments.
Application role assignments
The application role assignments endpoint, /environments/{{envID}}/applications/{{appID}}/roleAssignments, provides endpoint operations to create, read, update, and delete the role assignments associated with the application connection. For more information, see Application Role Assignments.
Application attribute mapping
The application attribute mapping endpoint, /environments/{{envID}}/applications/{{appID}}/roleAssignments, lets you customize the content of an ID token or a SAML assertion by adding custom attributes and their values. For more information, see Application Attribute Mapping.
Application MFA push credentials
Push credentials are required for sending push notifications to a native application. The endpoint, /environments/{{envID}}/applications/{{appID}}/pushCredentials, provides endpoint operations to create, read, update, and delete the push credentials associated with the application connection. This section provides examples for both APNS and FCM push credential types. For more information, see Application MFA Push Credentials.