Create OAuth Clients for PTC Products
You create OAuth clients in PingFederate to serve as endpoints that PTC products connect to when obtaining or verifying access tokens. It is recommended that you create a separate OAuth client for every role that each product performs.
Prerequisite-Create an Access Token Management instance
Access token management instances allow you to configure access token policies and attribute contracts for different OAuth clients. The access token management instance you create in the following procedure will be used for the OAuth clients you create for PTC products. For more information about access token management instances and how to configure them, see “Access token management” in the PingFederate documentation.
The following settings are recommended when creating an access token management instance for Internally Managed Reference Tokens for PTC products.
 |
JWT token with delegated OAuth works with PingFederate 11.x.x only. Encryption of JWT token is not supported in Windchill.
|
1. From the PingFederate main navigator menu, click > > .
2. On the Type tab:
a. Specify an instance name and ID.
b. Type field, select Internally Managed Reference Tokens.
c. Parent Instance field, select None.
3. Click Next to accept the defaults on the Instance Configuration tab.
4. On the Access Token Attribute Contract tab, add Username.
5. Click Next on the Resource URIs and Access Control tabs to accept the default settings.
The following settings are recommended when creating an access token management instance for JSON WEB TOKENS for PTC products:
1. From the PingFederate main navigator menu, click > > .
2. On the Type tab:
a. Specify an instance name and ID.
b. Type field, select JSON WEB TOKENS.
c. On the Instance Configuration tab, select Symmetric keys or Certificate for signing the JWT token.
▪ Configurations for Symmetric keys:
1. On the Instance Configuration tab, click Add a new row to 'Symmetric Keys'. Provide details for Key ID, Key, and Encoding. For encoding, only Base64[url] is supported. Click Update.
2. Select JWS ALGORITHM. Set the value to HMAC using SHA-XXX.
3. Select ACTIVE SYMMETRIC KEY ID that you provided in previous step.
4. Click Show Advanced Fields.
5. Specify the values for ISSUER CLAIM VALUE and AUDIENCE CLAIM VALUE. TYPE HEADER VALUE should be set as JWT.
▪ Configurations for Certificates:
1. On the Instance Configuration tab, click Add a new row to 'Certificates'. Provide details for Key ID, Certificate. Click Update.
2. Select JWS ALGORITHM. Set the value to RSA using SHA-XXX.
3. Select ACTIVE SIGNING CERTIFICATE KEY ID that you provided in previous step.
4. Click Show Advanced Fields.
5. Specify the values for ISSUER CLAIM VALUE and AUDIENCE CLAIM VALUE. TYPE HEADER VALUE should be set as JWT.
6. Specify the value for JWKS ENDPOINT PATH optional field. If this value is not specified here, you are required to provide the signing certificate during the delegated OAuth setup.
Prerequisite-Configure Access Token Mapping
An access token mapping is required to identify the attributes that will be provided along with access tokens. To configure this mapping for PTC products, the Username attribute must be mapped to USER_KEY. For more information about access token mapping, see “Manage access token mappings” in the PingFederate documentation.
The following settings are recommended when configuring an access token mapping for PTC products:
1. On the PingFederate main navigator menu, select > .
2. On the Access Token Attribute Mapping page:
a. For Context, select Default.
b. For Access Token Manager, select the access token management instance you created in the previous procedure.
c. Click Add Mapping.
3. On the Attribute Sources & User Lookup tab, click Next to accept the default settings.
4. On the Contract Fulfillment tab, for the Username contract entry, select Persistent Grant in the Source column and USER_KEY in the Value column.
5. On the Issuance Criteria tab, click Next to accept the default settings.
6. Click Done, and click Save.
You can proceed to creating an OAuth client for the PTC product in your SSO framework.