OIDCApplications
The OIDC-protocol applications in the environment.
Table-Specific Information
We recommend using the built-in Client Application Developer role to read and write data for this table.
SELECT
Reading data from this table requires Read Application/applications:read:application permission.The driver uses the PingOne Platform API to process WHERE clause conditions built with the following columns and operators.
- Id supports the following operators: =, IN.
All other filters are processed client-side within the driver.
For example, the following queries are processed server-side:
SELECT * FROM Administrators.OIDCApplications WHERE Id = '8f2c6a33-1f7f-458e-8b58-f92507742293';
SELECT * FROM Administrators.OIDCApplications WHERE Id IN ('8f2c6a33-1f7f-458e-8b58-f92507742293', '4441de0a-e4f2-47da-a217-545955eb23a5');
INSERT
Creating data in this table requires Create Application/applications:create:application permission.Refer to the query example below:
INSERT INTO Administrators.OIDCApplications (Name, Description, Type, IsEnabled) VALUES ('My App', 'My App', 'WEB_APP', false)
UPDATE
Updating data in this table requires Update Application/applications:update:application permission.Refer to the query example below:
UPDATE Administrators.OIDCApplications SET IsEnabled = true WHERE Id = '8f2c6a33-1f7f-458e-8b58-f92507742293'
DELETE
Deleting data from this table requires Delete Application/applications:delete:application permission.Refer to the query example below:
DELETE FROM Administrators.OIDCApplications WHERE Id = '8f2c6a33-1f7f-458e-8b58-f92507742293'
Columns
| Name | Type | ReadOnly | References | Description |
| Id [KEY] | String | True |
The application identifier (UUID). | |
| Name | String | False |
The name of the application. | |
| Description | String | False |
The application's description. | |
| IsEnabled | Boolean | False |
Boolean value indicating whether the application is enabled for authorization to PingOne. | |
| Type | String | False |
The type of the application. Possible values are: 'WEB_APP', 'NATIVE_APP', 'SINGLE_PAGE_APP', 'SERVICE', 'CUSTOM_APP', 'WORKER', 'PING_ONE_SELF_SERVICE', 'PING_ONE_ADMIN_CONSOLE', 'PING_ONE_PORTAL', and 'PORTAL_LINK_APP'. | |
| EnvironmentId | String | True | Information.Environments.Id |
The identifier (UUID) of the environment in which the application exists. |
| CreatedAt | Datetime | True |
The time at which the application was created. | |
| UpdatedAt | Datetime | True |
The time at which the application was last updated. | |
| LoginPageURL | String | False |
The application's login page URL. | |
| HomePageURL | String | False |
The application's home page URL. | |
| IsHiddenFromPortal | Boolean | False |
Boolean value indicating whether the application is hidden in the application portal. | |
| IconURL | String | False |
The URL of the application's icon. | |
| AccessControlRolesCriteria | String | False |
The user role criteria for accessing the application. Possible values are 'ADMIN_USERS_ONLY'. A user is an admin user if they have one or more of the following roles: 'Organization Admin', 'Environment Admin', 'Identity Data Admin' or 'Client Application Developer'. | |
| CORSRestriction | String | False |
The application's restriction in regards to CORS requests. Possible values are 'ALLOW_NO_ORIGINS' and 'ALLOW_SPECIFIC_ORIGINS'. 'ALLOWS_NO_ORIGINS' rejects all CORS requests. 'ALLOW_SPECIFIC_ORIGINS' rejects all CORS requests except those listed in the 'CORSAllowedOrigins' column. | |
| CORSAllowedOrigins | String | False |
The origins from which CORS requests to the Authorization and Authentication APIs are allowed. This applies only when 'CORSRestriction' is set to 'ALLOW_SPECIFIC_ORIGINS'. | |
| KeyRotationPolicyId | String | False |
The key rotation policy identifier (UUID) of the key used to sign the API tokens generated for the application. | |
| TokenEndpointMethod | String | False |
The authentication methods supported by the token endpoint. Possible values are: 'NONE', 'CLIENT_SECRET_BASIC', 'CLIENT_SECRET_POST', 'PRIVATE_KEY_JWT', and 'CLIENT_SECRET_JWT'. | |
| ResponseTypes | String | False |
The code or token type returned by an authorization request. Possible values are: 'TOKEN', 'ID_TOKEN', and 'CODE'. | |
| GrantTypes | String | False |
The grant type for the authorization request. Possible values are: 'authorization_code', 'implicit', 'refresh_token', 'device_code', and 'client_credentials'. | |
| PkceEnforcement | String | False |
Specifies how PKCE request parameters are handled on the authorize request. Possible values are: 'OPTIONAL', 'REQUIRED', and 'S256_REQUIRED'. | |
| RefreshTokenDuration | Integer | False |
The lifetime in seconds of the refresh token. | |
| RefreshTokenRollingDuration | Integer | False |
The number of seconds a refresh token can be exchanged before re-authentication is required. If a value is not provided, the refresh token is valid forever. | |
| RefreshTokenRollingGracePeriodDuration | Integer | False |
The number of seconds that a refresh token may be reused after having been exchanged for a new set of tokens (rolled). | |
| IsRefreshTokenReplayProtectionEnabled | Boolean | False |
Boolean value indicating how the authorization server should behave if the actor re-uses/re-rolls a used refresh token. If true/enabled, the authorization server immediately revokes the reused refresh token, as well as all descendant tokens. | |
| RedirectURIs | String | False |
The callback URIs configured for the authentication response. | |
| AllowWildcardInRedirectURIs | Boolean | False |
Boolean value indicating whether wildcards are allowed in redirect URIs. | |
| JWKS | String | False |
The JSON Web Key Set (JWKS) that validates the signature of signed JWTs for applications that use the 'PRIVATE_KEY_JWT' option in the 'TokenEndpointMethod' method. | |
| JWKSUrl | String | False |
A URL that points to a JWKS string which validates the signature of signed JWTs for applications that use the 'PRIVATE_KEY_JWT' option in the 'TokenEndpointMethod' column. If the 'JWKS' column is empty, the JWKS is provided from the URL configured here instead. | |
| ParRequirement | String | False |
Whether pushed authorization requests (PAR) are required. Possible values are: 'REQUIRED' and 'OPTIONAL'. | |
| ParTimeout | Integer | False |
Pushed authorization request (PAR) timeout in seconds. | |
| RequiresSignedRequestObject | Boolean | False |
Boolean value indicating whether the Java Web Token (JWT) for the request query parameter is required to be signed. If false or null, a signed request object is not required. | |
| InitiateLoginURI | String | False |
The URI to use for third-parties to begin the sign-on process for the application. If specified, PingOne redirects users to this URI to initiate SSO to PingOne. | |
| TargetLinkURI | String | False |
The URI for the application. If specified, PingOne will redirect application users to this URI after a user is authenticated. | |
| PostLogoutRedirectURIs | String | False |
The URLs that the browser can be redirected to after logout. | |
| Tags | String | False |
An array that specifies the list of labels associated with the application (Worker). Possible values are: 'PING_FED_CONNECTION_INTEGRATION'. | |
| DevicePathId | String | False |
A string that specifies a unique identifier within an environment for a device authorization grant flow to provide a short identifier to the application. This is ignored when the 'DeviceCustomVerificationURI' column is configured. | |
| DeviceCustomVerificationURI | String | False |
A string that specifies an optional custom verification URI that is returned for the '/device_authorization' endpoint. | |
| DeviceTimeout | Integer | False |
An integer that specifies the length of time (in seconds) for which the 'userCode' and 'deviceCode' returned by the '/device_authorization' endpoint are valid. This property applies only to applications in which the 'GrantTypes' column is set to 'device_code'. | |
| DevicePollingInterval | Integer | False |
An integer that specifies the frequency (in seconds) for the client to poll the '/as/token' endpoint. This property applies only to applications in which the 'GrantTypes' column is set to 'device_code'. | |
| MobileBundleId | String | False |
The bundle associated with the application, for push notifications in native apps. Used only for applications for the Apple ecosystem. | |
| MobilePackageName | String | False |
The package name associated with the application, for push notifications in native apps. Used only for applications for the Google ecosystem. | |
| MobileURIPrefix | String | False |
A URI prefix that enables direct triggering of the mobile application when scanning a QR code. | |
| HuaweiAppId | String | False |
The unique identifier for the app on the device and in the Huawei Mobile Service AppGallery. Used only for applications for the Huawei ecosystem. | |
| HuaweiPackageName | String | False |
The package name associated with the application, for push notifications in native apps. Used only for applications for the Huawei ecosystem. | |
| IntegrityDetectionMode | String | False |
Indicates whether device integrity detection takes place on mobile devices, for the application's enrollment and authentication events. Possible values are: 'ENABLED' and 'DISABLED'. | |
| IntegrityDetectionExcludedPlatforms | String | False |
Operating systems you want to exclude from device integrity checking. Possible values are 'GOOGLE' and 'IOS'. | |
| IntegrityDetectionVerificationType | String | False |
The type of verification that should be used. Possible values are: 'GOOGLE' and 'INTERNAL'. | |
| IntegrityDetectionCacheDurationAmount | Integer | False |
The duration between successful integrity detection calls. | |
| IntegrityDetectionCacheDurationUnits | String | False |
The time units used for the 'IntegrityDetectionCacheDurationAmount' column. Possible values are: 'MINUTES' and 'HOURS'. | |
| PasscodeRefreshDurationAmount | Integer | False |
The amount of time a passcode should be displayed before being replaced with a new passcode. | |
| PasscodeRefreshDurationUnits | String | False |
The type of time unit for the 'PasscodeRefreshDurationAmount' column. Possible values are: 'SECONDS'. | |
| AssignActorRoles | Boolean | False |
Boolean value indicating whether the roles of the actor creating the application should be assigned to the application. | |
| EnableIdpSignOff | Boolean | False |
Boolean value indicating whether the application is allowed to terminate a user session using only the ID token. | |
| MFANumberMatchingType | String | False |
The type of number matching that should be used in MFA policies where number matching has been enabled for the application. Possible values are: 'SELECT_NUMBER' and 'ENTER_MANUALLY'. |