Configure the SDKs dynamically
It can sometimes be convenient to change configurations without reinstalling your app. For example, to switch test environments on the fly or to switch to a different service, change the app settings programmatically with dynamic configuration.
-
Android
-
iOS
Use the FROptionsBuilder
methods to build an FROptions
object, and pass the object to the FRAuth.start()
method.
The builder provides access to the settings defined by the following properties:
Domain ( |
Property name |
Description |
Required |
|
---|---|---|---|---|
Android (Java) |
Android (Kotlin) |
|||
Server ( |
|
|
The base URL of the PingAM instance to connect to, including port and deployment path;
for example, |
|
|
|
The realm where the OAuth 2.0 client profile is configured. Default: |
||
|
|
A timeout, in seconds, for each request that communicates with PingAM. Default: |
||
|
|
The name of the cookie that contains the session token, for example, To locate the cookie name in an PingOne Advanced Identity Cloud tenant, go to Tenant settings > Global Settings > Cookie. Default: |
||
|
|
Time, in seconds, to cache the session token cookie in memory. Default: |
||
Journeys ( |
|
|
The name of the user authentication tree configured in PingAM. |
|
|
|
The name of the user registration tree configured in PingAM. |
||
OAuth 2.0 ( |
|
|
The |
|
|
|
The |
||
|
|
A list of scopes to request when performing an OAuth 2.0 authorization flow. |
||
|
|
A threshold, in seconds, to refresh an OAuth 2.0 token before the |
||
|
|
Time, in seconds, to cache an OAuth 2.0 token in memory (defaults to |
||
Storage ( |
|
|
A custom class for the storage of OpenID Connect-related items, such as access tokens. |
|
|
|
A custom class for the storage of single sign-on-related items, such as SSO tokens. |
||
|
|
A custom class for the storage of cookies. |
||
SSL pinning ( |
|
|
An array of public key certificate hashes (strings) for trusted sites and services. |
|
|
|
An array of |
||
Custom endpoints ( |
|
|
Override the default path to PingAM’s |
|
|
|
Override the default path to the PingAM’s |
||
|
|
Override the default path to PingAM’s |
||
|
|
Override the default path to PingAM’s |
||
|
|
Override the default path to PingAM’s |
||
|
|
Override the default path to PingAM’s |
In addition, the Ping SDK for Android lets you configure the log level and a custom logger.
Use the FROptions
interface to build an options object and pass the object to the FRAuth.start()
method.
The options object provides access to the settings defined by the following properties.
These settings are the same as the properties in FRAuthConfig.plist
:
Domain | Property | Description | Required |
---|---|---|---|
Server |
|
The base URL of the PingAM instance to connect to, including port and deployment path;
for example, |
|
|
The realm where the OAuth 2.0 client profile is configured. Default: |
||
|
A timeout, in seconds, for each request that communicates with PingAM (defaults to |
||
|
When |
||
|
The name of the cookie that contains the SSO token, for example, To locate the cookie name in an PingOne Advanced Identity Cloud tenant, go to Tenant Settings > Global Settings > Server. Default: |
||
Journeys |
|
The name of the user authentication tree configured in PingAM. |
|
|
The name of the user registration tree configured in PingAM. |
||
OAuth 2.0 |
|
The |
|
|
The |
||
|
A list of scopes to request when performing an OAuth 2.0 authorization flow. |
||
|
A threshold, in seconds, to refresh an OAuth 2.0 token before the |
||
SSL pinning |
|
An array of public key certificate hashes (strings) for trusted sites and services. |
|
|
Keychain access group for the shared keychain. |
||
Custom endpoints |
|
Override the default path to PingAM’s |
|
|
Override the default path to the PingAM’s |
||
|
Override the default path to PingAM’s |
||
|
Override the default path to PingAM’s |
||
|
Override the default path to PingAM’s |
||
|
Override the default path to PingAM’s |
You must provide a value for properties that are marked as required. The SDK throws an exception if you provide an empty string for a required property. |
Session and token lifecycle
The SDK revokes and removes persisted tokens if you change any of the following properties dynamically:
-
forgerock_cookie_name
-
forgerock_oauth_client_id
-
forgerock_oauth_redirect_uri
-
forgerock_oauth_scope
-
forgerock_realm
-
forgerock_url
Android example
The following examples use dynamic configuration.
-
Android - Java
-
Android - Kotlin
FROptions options = FROptionsBuilder.build(frOptionsBuilder -> {
frOptionsBuilder.server(serverBuilder -> {
serverBuilder.setUrl("https://tenant.forgeblocks.com/am");
serverBuilder.setRealm("alpha");
serverBuilder.setCookieName("46b42b4229cd7a3");
return null;
});
frOptionsBuilder.oauth(oAuthBuilder -> {
oAuthBuilder.setOauthClientId("androidClient");
oAuthBuilder.setOauthRedirectUri("https://localhost:8443/callback");
oAuthBuilder.setOauthScope("openid profile email address");
return null;
});
frOptionsBuilder.service(serviceBuilder -> {
serviceBuilder.setAuthServiceName("Login");
serviceBuilder.setRegistrationServiceName("Registration");
return null;
});
return null;
});
FRAuth.start(this, options);
val options = FROptionsBuilder.build {
server {
url = "https://openam-forgerock-sdks.forgeblocks.com/am"
realm = "alpha"
cookieName = "iPlanetDirectoryPro"
}
oauth {
oauthClientId = "sdkPublicClient"
oauthRedirectUri = "https://localhost:8443/callback"
oauthScope = "openid profile email address"
}
service {
authServiceName = "Login"
registrationServiceName = "Registration"
}
}
FRAuth.start(this, options);
When the application calls FRAuth.start()
, the FRAuth
class checks for the presence of an FROptions
object.
If the object is not present, static initialization from strings.xml
happens.
If the object is present, the FRAuth
class uses the options object
and calls the same internal initialization method.
The app can call FRAuth.start()
multiple times in its lifecycle:
-
When the app calls
FRAuth.start()
for the first time in its lifecycle, the SDK checks for the presence of session and access tokens in the local storage. If an existing session is present, initialization does not log the user out. -
If the app calls
FRAuth.start()
again, the SDK checks whether session managers and token managers are initialized, and cleans the existing session and token storage. This ensures that changes to the app configuration remove and revoke existing sessions and tokens.
iOS example
The following Swift example uses dynamic configuration.
let options = FROptions(url: "https://tenant.forgeblocks.com/am",
realm: "alpha",
cookieName: "46b42b4229cd7a3",
oauthClientId: "iosClient",
oauthRedirectUri: "frauth://com.forgerock.ios.frexample",
oauthScope: "openid profile email address",
authServiceName: "Login",
registrationServiceName: "Register")
try FRAuth.start(options: options)
When the application calls FRAuth.start()
, the FRAuth
class checks for the presence of an FROptions
object.
If the object is not present, the static initialization from FRAuthConfig.plist
happens.
If the object is present, the FRAuth
class converts it to a [String, Any]
dictionary
and calls the same internal initialization method.
The app can call FRAuth.start()
multiple times in its lifecycle:
-
When the app calls
FRAuth.start()
for the first time in its lifecycle, the SDK checks for the presence of session and access tokens in the local storage. If an existing session is present, initialization does not log the user out. -
If the app calls
FRAuth.start()
again, the SDK checks whether session managers and token managers are initialized, and cleans the existing session and token storage. This ensures that changes to the app configuration remove and revoke existing sessions and tokens.
Using the .well-known endpoint for dynamic configuration
You can configure the Android and iOS SDKs to obtain many required settings from your PingOne server’s .well-known
OpenID Connect endpoint. Settings gathered from the endpoint include the paths to use for OAuth 2.0 authorization requests, and login endpoints.
-
Android
-
iOS
Use the FROptions.discover
method to use the .well-known
endpoint to configure OAuth 2.0 paths:
val option =
options.discover("https://auth.pingone.com/3072206d-c6ce-ch15-m0nd-f87e972c7cc3/as/.well-known/openid-configuration")
FRAuth.start(context, option)
Use the FROptions.discover
method to use the .well-known
endpoint to configure OAuth 2.0 paths:
let options = try await FROptions(config: config).discover(
discoveryURL: "https://auth.pingone.com/3072206d-c6ce-ch15-m0nd-f87e972c7cc3/as/.well-known/openid-configuration")
try FRAuth.start(options: options)
Limitations
-
Apps do not manage tokens from multiple servers, only those of the currently active server.
-
Dynamic configuration is not persistent.
-
Dynamic configuration applies to core configuration, not extensions such as callback overrides, device profile configuration, and request interception.
-
FRUI pre-defined UI elements do not use dynamic configuration.