The PingOne Magic Link Service provides a passwordless authentication experience into a PingOne application using a One Time Link.
The Magic Link service performs the following actions:
- Captures and temporarily stores an OIDC authorization request
- A mobile application would send details of the request to this service.
- Generates a One Time Link and emails it to the user.
- Once claimed over email, the service generates an OIDC authorization url with a signed login_hint_token containing the email as the subject before redirecting the browser over a 302 response.
- PingOne validates the login_hint_token and automatically logs the user in. An OIDC code or token is sent back to the redirect uri sent in step 1.
- The flow will return to the mobile application if the redirect_uri is a mobile deep link.
This github project peforms the part of the "Magic Link Service" in the following diagram:
The solution requires a MFA Only Authentication Policy, and an OIDC Client.
Create an MFA Only Policy with the following attributes:
- NONE OR INCOMPATIBLE METHODS: BYPASS
Create an OIDC Client with the following attributes:
- A generated Client Secret.
- Important! Do not provide this secret to the mobile application. The mobile application can authenticate using PKCE. The Client Secret should only be used by the web service to generate a login_hint_token.
- Response Type: Code
- Grant Type: Authorization Code
- PKCE Enforcement: S256_REQUIRED
- Token Endpoint Authentication Method: NONE
- Resources: add profile
- Policies: Select the MFA Only Policy you created above.
- Redirect URI: A deep link URI (custom scheme) which launches the application from the browseri and consumes an auth code. Example: pingapac://magiclink/callback
This solution requires that the users entered into the mobile app exist in PingOne with the following attributes:
- Username: email address of the user.
- MFA Enabled: true.
This solution requires you to launch a web service. Details and installation steps found here.
This solution comes with a sample Android Application demonstrating the passwordless flow. Details and installation steps found here.
A Postman collection has been provided to test the solution out without a mobile application. You can import the collection using the following URL.
Important: The Magic Link web service needs to be running with devmode=true. This allows the Postman scripts to retrieve the OTL in the OIDC claim dropoff response.
Import the collection into postman and modify the following Collection Variables:
| Configuration Name | Description | Example |
|---|---|---|
| magiclink-baseurl | Frontend Base URL of the magic link service | https://magiclink.pingapac.com |
| magiclink-subject | Email address of the subject. User must exist in PingOne with username=email | bob@mailinator.com |
| pingone-baseurl | Auth Base URL of the PingOne environment | https://auth.pingone.com/{environmentId} |
| pingone-client_id | Client ID for the mobile application. | {clientId} |
| pingone-client_redirect_uri | Redirect URI configured in the client. | pingapac://magiclink/callback |
Run the Postman steps in sequence.