This project provides a sample to integrate PingAccess and PingFederate to be used as auth resource server and provider with your services. This is using Java Spring Boot services but can be used with services written in any other language like nodeJS.
PingAccess and PingFederate both are provided via docker containers. In order to start them, run docker-compose up -d.
You will need to create a devops account on pingId to get the credentials. Once you have the credentials, you can either
use ping-devops utility to provide them OR pass them as .env file to docker-compose up -d command.
If using ping-devops utility, then spin up the containers
via, docker-compose --env-file ${HOME}/.pingidentity/devops up -d.
If using environment variables, then create a .env.local file and add the following content,
PING_IDENTITY_DEVOPS_USER=<user name>
PING_IDENTITY_DEVOPS_KEY=<user key>
and then run the command, docker-compose --env-file .env.local up -d
After the containers are started you can use the following credentials to login to the admin console. For pingaccess,
use https://localhost:9000. For pingfederate, use https://localhost:9031. The user credentials
are: administrator/2FederateM0re.
So, both PingAccess and PingFederate comes pre-configured with some things. For our setup we will make some changes to that and also add some of our own.
Signing Certificate -- First thing you will need is a signing certificate for your access token.
- Go to Security > Signing & Decryption Keys & Certificates
- Create New
- Name: Todo Cert
- Subject Alternate Names: DNS Name -- host.docker.internal
- Organization: any name
- Country: US
- Save
- Create New
- Name: Tweet Cert
- Subject Alternate Names: DNS Name -- host.docker.internal
- Organization: any name
- Country: US
- Save
Access Token Manager -- In order to generate token, you will need to define a access token manager.
- Go to Applications > Oauth > Access Token Management
- Create New Instance
- Instance Name: Todo Token Management
- Instance Id: todotokenmgmt
- Next
- Under Instance Configuration
- Under Certificates, add a Key Id: todokey and Certificate as Todo Cert. Update.
- JWS Algorithm: RSA Using SHA-256
- Active Signing Certificate Key Id: todokey
- Show Advanced Fields
- Issuer Claim Value: https://pingfederate:9031
- Audience Claim Value: :8082
- JWKS Endpoint Path: /todoauthtoken/jwks -- This needs to be unique for each token manager.
- Under Access Token Attribute Contract, add a new attribute to extend the USER_KEY subject.
- Under Resource URIs, add a base resource uri, https://:3000
- Save
- Repeat steps 2-15 for Tweet Service.
Access Token Mapping -- This is needed to fulfill the access token attribute contracts.
- Go to Applications > Oauth > Access Token Mappings
- From Context dropdown, select Client Credentials and Access Token Manager as one of the token managers created above.
- Under Contract Fulfillment, select Context and ClientId in the respective dropdowns.
Clients -- Now comes the client creation to be used by the services to get the access tokens.
- Go to Applications > Oauth > Clients
- Add Client
- Client Id: todo_client
- Name: Todo Client
- Client Authentication: Client Secret
- Client Secret: Either use Generate Secret button OR enter one.
- Request Object Signing Algorithm: RSA Using SHA-256
- JWKS Url: https://localhost:9031/ext/authtoken/jwks -- This is the same url which you set in #12 under Access Token Management above.
- Allowed Grant Types: Client Credentials
- You can also select Access Token Validation (Client is a resource server) if you will be using this client id for pingaccess to access pingfederate.
- Default Access Token Manager: Todo Token Mgmt
- Save.
- Repeat the same for another client for tweet. #9.1 is only needed for the client to be used by pingaccess.
Token Provider -- This is already set by default.
- Go to Settings > System > Token Provider.
- Only change you will need to do is select Send Audience under Oauth Resource Server
- If you want to use a different client id then update the id and secret.
Virtual Host -- This is needed to access the application via pingaccess.
- Go to Applications > Applications > Virtual Hosts
- Add Virtual Host
- Host: Use the same one as used on pingfederate's Access Token Manager's Resource URI tab.
- Port: 3000 -- This is the default pingaccess application port. It can be configured on startup to a different one.
Sites -- Add your API information.
- Go to Applications > Sites
- Add Site
- Name: Todo API
- Targets: host.docker.internal:8082
- Secure: Yes
- Save
- Repeat the same for Tweet API.
Application -- Add your Application information.
- Go to Applications > Applications
- Add Application
- Name: Todo App
- Context Root: /todos
- Virtual Hosts: Use the one created under Virtual Host step.
- Application Type: API
- SPA Support: Checked
- Access Validation: Token Provider
- Destination: Site
- Site: Select the site created under Sites step.
- Require Https: Checked
- Save
- Repeat the same for Tweet App.
Since both PA and PF are running inside the docker container over https, for the spring boot application to access these we need to add the certificates to the java trust store. In order to do so, get the certificate by running the following command,
// For PingAccess
openssl s_client -showcerts -connect localhost:3000
Copy the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- inclusive in a file and then
import that cert file to java trust store by running the command,
sudo keytool -import -alias pingaccess-docker -keystore /path/to/java/security/cacerts -file /path/to/cert/file/created/above
Do the same for PingFederate certificate. To get the certificate,
// For PingFederate
openssl s_client -showcerts -connect localhost:9031
Open your hosts file (/etc/hosts) and add the following,
127.0.0.1 pingfederate <...virtual hosts defined on pingaccess>
The logs for PA and PF both are available under the same location /opt/out/instance/log in the respective containers.
In order to run the services over https, you will need to install certificate. For that you can make use of mkcert.
brew install mkcert
mkcert -install
mkcert -pkcs12 localhost 127.0.0.1 ::1 host.docker.internal
This will create and install the certificate in the trusted keystore.
Now create a directory in the root folder, certs and copy the generated certificate file to this location. Now when
you start any of the services in this project they will be able to run on https.
This project contains 3 spring-boot services.
- bff-service -- This is an aggregator service like a client accessing the other services over pingaccess.
- todo-service -- Serivce providing APIs for Todo.
- tweet-service -- Serivce providing APIs for Tweet.
The config can be found under bff-service/src/main/resources/application.yml. The auth segment contains the token
endpoint for pingfederate. The audience, clientId and clientSecret are provided under individual service config
segments like todo and tweet.
Before starting the todo and tweet service, add a file named application-local.yml under src/main/resources with
following contents,
trust-store:
path: <absolute path for java trust store>
password: <trust store password>Either you can IDE to start all the services OR can start them individually from command line using the
command gradle bootRun.
Once the services have started, you can access it on, https://localhost:8084/bff. When accessing for the first time,
you will see a response like this,
{
"todos": [],
"tweets": []
}To add a new todo, make the request to https://localhost:8084/bff/todo and in the body provide a json string. Similar
API /bff/tweet to add a new tweet.