A resource entity in PingOne can be one of the following types: OPENID_CONNECT
, PING_ONE_API
, or CUSTOM
. Only the CUSTOM
resource type can be created. The OPENID_CONNECT
type specifies the built-in platform resource for OpenID Connect. The PING_ONE_API
type specifies the built-in platform resource for PingOne. When you define an application in PingOne and specify its resource grant, you identify the protected endpoints that users can access when they sign on to that application.
For custom resources, the Resources service models external resource servers that use PingOne to protect their APIs. The custom resource is the audience of access tokens generated by PingOne. For example, an application called Photo Archive uses a resource grant to the server, https://api.photoarchive.com
, that provides APIs for users to interact with their photos. You can use the PingOne resources service to define the https://api.photoarchive.com
as a custom resource and specify the scopes (permissions) that users get from authenticating and receiving an access token. In this scenario, when a user signs on, the PingOne authorization server returns an access token, giving the user permissions associated with the custom resource, such as permission:view-photos
, permission:upload-photos
, permission:edit-photos
, or permission:delete-photos
.
You need the Environment Admin or the Client Application Developer roles to perform operations on resources.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
accessTokenValiditySeconds |
Integer | Required | Mutable | The number of seconds that the access token is valid. If a value is not specified, the default is 3600. The minimum value is 300 seconds (5 minutes); the maximum value is 2592000 seconds (30 days). |
audience |
String | Required | Mutable | A URL without a fragment or “@ObjectName” and must not contain “pingone” or “pingidentity” (for example, https://api.myresource.com). If a URL is not specified, the resource name is used. The value that you set here is returned in the audience claim in the token. For more information, see Token Introspection (Resource ID and Secret). |
createdAt |
Date | N/A | Read only | The time the resource was created. |
description |
String | Optional | Mutable | Description of the resource. |
environment.id |
String | Required | Immutable | The environment resource’s unique identifier associated with the resource. |
id |
String | Required | Immutable | The resource’s unique identifier. |
name |
String | Required | Immutable | The resource name, which must be provided and must be unique within an environment. |
introspectEndpointAuthMethod |
String | Required | Mutable | The client authentication methods supported by the token endpoint. Options are NONE , CLIENT_SECRET_BASIC , CLIENT_SECRET_POST , CLIENT_SECRET_JWT , and PRIVATE_KEY_JWT . Applicable only to custom resources. |
type |
String | Required | Mutable | The type of resource. Options are OPENID_CONNECT , PING_ONE_API, and CUSTOM . Only the CUSTOM resource type can be created. OPENID_CONNECT specifies the built-in platform resource for OpenID Connect. PING_ONE_API specifies the built-in platform resource for PingOne. |
updatedAt |
Date | N/A | Read only | The time the resource was last updated. |
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
sub |
String | Required | Mutable | The core claim for the new resource. The default value is ${user.id} . |
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
Service | Event |
---|---|
resources | RESOURCE.CREATED |
resources | RESOURCE.UPDATED |
resources | RESOURCE.DELETED |
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
404 | The requested resource was not found. |