PingOne Advanced Identity Cloud

Redirect an OAuth 2.0 or OIDC client application to a journey

You can configure OAuth 2.0 / OIDC client applications to redirect authentication requests to a specified journey.

The redirect contains a transaction condition advice to ensure the journey always runs, regardless of existing sessions and configured authentication context class reference (acr) values.

You can only associate a journey with OAuth 2.0 applications configured for the Authorization Code, Implicit, and Device Code grant types.

When a journey is associated with an application, it overrides other authentication settings, including acr claims.

If a relying party (RP) requests an acr claim (voluntary or essential) or if default acr values are set in the OIDC client profile, the claim is returned in the ID token regardless of the provider configuration.

You can’t delete a journey if it’s referenced by an OAuth 2.0 / OIDC application.

Configure a client application journey

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

  2. On the Advanced tab, select the journey from the Tree Name list.

  3. Save your changes.

  4. To verify that Advanced Identity Cloud uses the associated journey for authentication, check the log messages written to the am-access and am-authentication log files.

You can use a script to access information about the incoming OAuth 2.0 request. Configure your journey to include a Scripted Decision node that queries the oauthApplication script binding.