Through the Admin Interface
To set up OAuth-based authentication and authorization with Ping Identity through the Admin Interface, follow these steps:
Create your external security object by setting these fields on the External Security configuration page and clicking OK:
Field
Setting
External Security Name
Enter a descriptive name for this external security object that identifies the external agent.
EXAMPLE:
PingIdentityExampleOAuth
Description
(Optional) Enter a description for this external security object.
EXAMPLE:
PingIdentity external security object for OAuth
Authentication
Choose
oauth
from the dropdown.[v11.2.0 and up] Setting this field to
oauth
makes the OAuth Server fields available.Cache Timeout
Enter a number in seconds after which you want MarkLogic Server to re-authenticate the user with your OAuth external agent.
EXAMPLE:
300
(default kept)Note
Clear the cache by calling sec:external-security-clear-cache().
Authorization
Choose
oauth
from the dropdown.OAuth Server fields:
Field
Description
OAuth Flow Type
Choose
Resource server
from the dropdown.OAuth Vendor
Choose
Ping Identity
from the dropdown.OAuth Client ID
Enter the name of the OAuth client you created.
EXAMPLE:
PingExampleClientID
OAuth Token Type
Choose
JSON Web Tokens
from the dropdown.OAuth Username Attribute
username
OAuth Role Attribute
roles
OAuth Privilege Attribute
(Optional)
privileges
OAuth JWT Algorithm
Choose
HS256
from the dropdown.OAuth JWT Secrets
Enter the key ID into the left field as the Secret Key ID and the public key in PEM format into the right field as the Secret Value.
To enter more secrets, click Add Secret to expose additional field pairs.
EXAMPLE:
Secret Key ID =
PingExampleKeyID
Secret Value =
[v11.2.0] <Hex-encoded JWT Secret>
[v11.3.0 and up] <Hex- or Base64URL-encoded JWT Secret>
OAuth JWKS URI
(Optional) JSON Web Key Sets Endpoint for obtaining JSON Web Keys. URI must support TLS (https) or be a loopback URI.
EXAMPLE:
https://localhost/pf/JWKS
Configure your desired app servers to use this external security object by setting these fields on each App Server configuration page and clicking OK:
Field
Setting
Authentication
Choose
oauth
from the dropdown.Internal Security
Click the
false
radio button.External Securities dropdown
Choose from the dropdown the External Security Name that you gave to your external security object in the previous step. Choose only one.
EXAMPLE:
PingIdentityExampleOAuth
Assign the external name to your desired roles by setting this field on each Role configuration page and clicking OK:
Field
Setting
External Name
Enter the external role name returned in the roles attribute of the JWT token payload that corresponds to this role.
EXAMPLE:
external-user-role
MarkLogic Server is now set up for OAuth-based authentication and authorization with Ping Identity.