Tech Tip – PingFederate – OAuth 2.0 Summary

OAuth 2.0 Endpoints
Description URL
Authorization The OAuth authorization server (AS) uses the authorization endpoint to interact directly with resource owners, authenticate them, and obtain their authorizations. /as/authorization.oauth2
Client Initiated Backchannel Authentication A CIBA-capable client uses this endpoint to initiate a backchannel, out-of-band flow to authenticate the resource owners and obtain their authorizations. /as/bc-auth.ciba
Token Endpoint The client presents its authorization grant to the token endpoint to obtain an access token and a refresh token when needed /as/token.oauth2
Introspection Endpoint A resource server (RS) client uses the introspection endpoint to validate an access token or a refresh token prior to granting access to a protected-resources call. /as/introspect.oauth2
Token revocation endpoint The token revocation endpoint allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed /as/revoke_token.oauth2
Grant-management endpoint Resource owners use the grant-management endpoint to view, and optionally revoke, the persistent access grants they have made. as/grants.oauth2 and /as/
OpenID Provider (OP) configuration endpoint The OpenID Provider (OP) configuration endpoint provides configuration information for the OAuth clients to interface with PingFederate using the OpenID Connect protocol. /.well-known/openid-configuration
UserInfo endpoint OAuth clients can present access tokens to the UserInfo endpoint to retrieve additional information about the resource owners. /idp/userinfo.openid

Grant Type Client Profile Client Secret Redirect URI ? Refresh Token Possible?
Authorization Code Web Server App Yes Yes Yes
Implicit Browser Based App No Yes No
Resource Owner Password Credentials Native Mobile App Yes Yes Yes
Client Credential Internal Server App Yes No No
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Leave a Reply

Your email address will not be published.