1. Home
  2. Knowledge Base
  3. Tutorials
  4. How to protect Hubway Connect APIs with OAuth 2.0 using Ping Identitity?

How to protect Hubway Connect APIs with OAuth 2.0 using Ping Identitity?

This is a guide to implement and test the pre-built OAuth2.0 authentication plugin, provided with Hubway Connect.

This feature is available on Hubway Connect R2.4+.

Requirements

  • Ping account
  • OAuth 2.0 pre-built plugin (contact us if you donโ€™t have it)

PingOne Identity Provider configuration

If you do not have it yet, register for a free trial account to use the PingIdentity services. After verifying your email address and providing the additional information, follow the next steps in order to set up an identity server.

1. Create a Customer Solution

 

2. Create an Application

On the left side pane, go to Connections ->Applications and create a new one by clicking on the plus icon next to Applications.

Choose “Single-Page” as Application Type.

 

3. Configure the Application

a. After creating the App, make sure the switch on the top right corner is on

b. Navigate to the Configuration tab and click on the pencil on the top right corner to edit the configuration

c. Add https://example.com in the Redirect URIs field and save

d. Navigate to the Resources tab and click on the pencil on the top right corner to edit the resources

e. In the Scopes tab scroll to the end, add profile and save

 

4. Create a User

On the left side pane, go to Identities ->Users and create a new one by clicking on the plus icon next to Users

Ensure the username youโ€™re using is the same username from the user account in OutSystems that you want to authenticate with when requesting the Hubway API.

 

5. Generate a token for the user created in the previous step

a. Go to Applications and click on the created application, navigate to the Configuration tab and expand the URLs section

 

b. Paste the following path on your browser:

{AuthorizationURL}?response_type=token id_token&client_id={ClientID}&redirect_uri=https://example.com&scope=openid%20profile

* {AuthorizationURL} and {ClientID} are displayed in the Configuration tab of the created app.

 

c. Youโ€™ll be requested to login with the user created in step 4 (and might be requested to change the password)

 

d. After login, copy the link from the browser, and retrieve the id_token from the path

Example: https://example.com/#access_token=eyJraWQiOiJ[..]kgUqDv7w&[..]&id_token=eyJraWQ[..]eoCl0VtbmY7Q

 

Configure the pre-built OAuth 2.0 authentication plugin module

Along with the installation of Hubway Connect you might have opted for the use of custom authentication methods. If your authentication method of choice is OAuth 2.0, you will not need to implement it from scratch, as we provide a example of its implementation through a Hubway authentication plugin, called HWAuthentication_OAuth2.

* Note that this module is optional and if you donโ€™t have it available on your environment, reach out to our support team.

a. Open the module in ServiceCenter and to include the signature verification, set the following site properties

ExpectedSignatureKeyId

  • Open JWT.IO and paste the “id_token”
  • Copy the kid value and set the value of the site property

SignatureKey

  • In Ping open the Application and navigate to the Configuration tab and expand the URLs

  • Copy the JWKS Endpoint and open it in a browser tab
  • Search for the key with the same kid value as the one defined in JWT.IO , and set the value of this site property with the entire content of the JSon record you found

Example:

{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"x5t": "TXBdKPlRe7upoxbRxLEzlGgkTN8",
"kid": "d9aa0090-4317-11ee-ac7e-776c27709711",
"x5c": [
"MIIDtDCCAp[..]a4c/g=="
],
"n": "5kTz6tX6Q[..]sCtNUtQ"
}

 

b. If you donโ€™t wish to include the signature verification, open the module in ServiceCenter and set the VerifySignature site property to False

 

 

Consuming a Hubway API with OAuth 2.0 token

When accessing a Hubway API with OAuth 2.0 authentication, use Bearer Token as authorization type and use the id_token as the bearer token.

See an example of how to use a Bearer token, when consuming APIs, using Postman:

 

Was this article helpful?

Related Articles