Through the REST API
To set up OAuth-based authentication and authorization with Ping Identity through the REST API, follow these steps:
Create the external security object with code like this:
XQuery/XML
curl -X POST --anyauth -k -u <username>:<password> -H "Content-Type:application/xml" \ -d @create_extsec.xml http://<machine URI>:8002/manage/v2/external-security
Contents of
create_extsec.xml
<external-security-properties xmlns="http://marklogic.com/manage/external-security/properties"> <external-security-name>PingIdentityExampleOAuth</external-security-name> <description>PingIdentity external security object for OAuth</description> <authentication>oauth</authentication> <cache-timeout>300</cache-timeout> <authorization>oauth</authorization> <oauth-server> <oauth-vendor>Ping Identity</oauth-vendor> <oauth-flow-type>Resource server</oauth-flow-type> <oauth-client-id>PingExampleClientID</oauth-client-id> <oauth-token-type>JSON Web Tokens</oauth-token-type> <oauth-username-attribute>username</oauth-username-attribute> <oauth-role-attribute>roles</oauth-role-attribute> <oauth-privilege-attribute>privileges</oauth-privilege-attribute> <oauth-jwt-alg>HS256</oauth-jwt-alg> <oauth-jwt-secrets> <oauth-jwt-secret> <oauth-jwt-key-id>PingExampleKeyID</oauth-jwt-key-id> <oauth-jwt-secret-value>HS256 JWT Secret Value</oauth-jwt-secret-value> </oauth-jwt-secret> </oauth-jwt-secrets> <oauth-jwks-uri>https://localhost/pf/JWKS/<oauth-jwks-uri> </oauth-server> </external-security-properties>
JavaScript/JSON
curl -X POST --anyauth -k -u <username>:<password> -H "Content-Type:application/json" \ -d @create_extsec.json http://<machine URI>:8002/manage/v2/external-security
Contents of
create_extsec.json
{ "external-security-name": "PingIdentityExampleOAuth", "description": "PingIdentity external security object for OAuth", "authentication": "oauth", "cache-timeout": "300", "authorization": "oauth", "oauth-server": { "oauth-vendor": "Ping Identity", "oauth-flow-type": "Resource server", "oauth-client-id": "PingExampleClientID", "oauth-token-type": "JSON Web Tokens", "oauth-username-attribute": "username", "oauth-role-attribute": "roles", "oauth-privilege-attribute": "privileges", "oauth-jwt-issuer-uri": "", "oauth-jwt-alg": "HS256", "oauth-jwt-secret": [ { "oauth-jwt-key-id": "PingExampleKeyID", "oauth-jwt-secret-value": "<HS256 JWT Secret Value>" } ], "oauth-jwks-uri": "https://localhost/pf/JWKS" } }
Create any HTTP, XDBC, WebDAV, or ODBC app servers that you wish to configure with this external security object.
Configure your app servers to use this external security object with code like this:
XML application
curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/xml" \ -d '<http-server-properties xmlns="http://marklogic.com/manage"> \ <external-security>"PingIdentityExampleOAuth"</external-security> \ <internal-security>false</internal-security> \ <authentication>oauth</authentication> \ </http-server-properties>' \ http://<machine URI>:8002/manage/v2/servers/<app server name>/properties?group-id=Default
JSON application
curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/json" \ -d '{"external-security": "PingIdentityExampleOAuth", \ "internal-security": false, \ "authentication": "oauth"}' \ http://<machine URI>:8002/manage/v2/servers/<app server name>/properties?group-id=Default
Assign external names to your desired roles with code like this:
Note
The external names are the values returned under the role attribute of the access token payload.
XML application
curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/xml" \ -d '<role-properties xmlns="http://marklogic.com/manage/role/properties"> \ <external-names> \ <external-name>"external-user-role"</external-name> \ </external-names> \ </role-properties>' http://<machine URI>:8002/manage/v2/roles/<MarkLogic Server role name like manage-user>/properties
JSON application
curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/json" \ -d '{"external-name": "external-user-role"}' \ http://<machine URI>:8002/manage/v2/roles/<MarkLogic Server role name like manage-user>/properties
MarkLogic Server is now set up for OAuth-based authentication and authorization with Ping Identity.