PingOne Flows

The flow endpoint is used to interact with the user in a sign-on workflow. Flow endpoint operations are used only to implement custom authentication UIs. OIDC/OAuth 2 and SAML requests initiate the flow and redirect the browser to the custom authentication UI (which is configured in the application through the application’s loginPageUrl property).

Flows expire after 15 minutes of inactivity. Interacting with a flow beyond this period results in a 404.

Common sign-on actions

Login actions

The flow endpoint can initiate login actions that specify the operations required to authenticate with a username and password.

Multi-factor authentication actions

The flow endpoint can also initiate multi-factor authentication (MFA) actions that specify the operations required to complete authentication using a registered user device and a one-time password (OTP).

Identity first actions

The flow can initiate a discovery action used to identify the user by username and determine the applicable authentication methods for this user.

Progressive profiling actions

Progressive profiling actions prompt users to provide additional data at sign on. This action type does not authenticate users. It is used only to obtain additional profile data.

Agreement actions

Agreement actions enforce user consent to an agreement at sign on. This action type does not authenticate users. It is used only to obtain user consent to a terms of service agreement.

Identity provider actions

An action that bypasses the PingOne sign-on prompt and immediately redirects the user to an external identity provider’s sign-on workflow to authenticate.

Workflows

Flow status

In a sign-on workflow, the flow’s status property value returned by the last action identifies the appropriate next action in the authentication process. For example, if an application uses the LOGIN sign-on policy, when a user initiates sign-on and starts the authentication flow, the response returned by the flow shows a status value that specifies the next required step to complete this flow successfully. For the LOGIN sign-on policy, the next action prompts the user to enter a username and password, as indicated by the USERNAME_PASSWORD_REQUIRED value in the status property.

"status" : "USERNAME_PASSWORD_REQUIRED"

The response data includes a link to the required action, which in this case is the usernamePassword.check:

{
  "_links" : {
    "self" : {
      "href" : "https://auth.pingone.com/{{envID}}/flows/{{flowID}}"
    },
    "session.reset" : {
      "href" : "https://auth.pingone.com/{{envID}}/flows/{{flowID}}"
    },
    "usernamePassword.check" : {
      "href" : "https://auth.pingone.com/{{envID}}/flows/{{flowID}}"
    }
  },

After the user submits a username and password, the flow calls the usernamePassword.check action to verify the username and password.

For more information about flow actions, refer to Flow API Actions.

Flow status values

An authentication flow can return one of the following status values in response to a sign-on action:

Status value Description

Status value	Description
`USERNAME_PASSWORD_REQUIRED`	This value specifies that a username and password is required. This status can initiate a `usernamePassword.check` action, a `user.register` action, a `registration.external` action, a `password.forgot` action, or an `authenticate` action to sign on using an external identity provider.
`PASSWORD_REQUIRED`	This value specifies that a password is required. This status initiates a `usernamePassword.check` action.
`SIGN_ON_REQUIRED`	This value specifies that a sign-on action is required. This status transitions to a `user.lookup` action and a `registration.external` action in a passwordless authentication flow.
`RECOVERY_CODE_REQUIRED`	This value specifies that the user initiated a `password.forgot` action and a recovery code must be sent. This status calls the `password.recover` action.
`VERIFICATION_REQUIRED`	This value specifies that the user’s account must be verified. This status calls the `user.verify` action.
`OTP_REQUIRED`	This value specifies that the user must complete a multi-factor authentication action. This status calls the `otp.check` action.
`DEVICE_SELECTION_REQUIRED`	This value specifies that the user must complete a device selection multi-factor authentication action. This status calls the `device.select` action.
`PASSWORD_EXPIRED`	This value specifies that a user’s password has expired and must be updated. This status calls the `password.reset` action.
`MUST_CHANGE_PASSWORD`	This value specifies that a temporary password must be changed or updated. This status calls the `password.reset` action.
`ACCOUNT_LINKING_REQUIRED`	This value specifies that the external identity returned by the identity provider requires an account linking action to link the external account to an existing user. This status can initiate a `usernamePassword.check` to link to an existing user, a `user.register` action to create a link to a new user, a `registration.external` action, or a `password.forgot` to link to an existing user who has forgotten the password.
`ACCOUNT_CONFIRMATION_REQUIRED`	This value specifies that the external identity information returned by the identity provider requires an account confirmation action to verify the account data. This status can initiate a `user.confirm` action to verify the account information.
`EXTERNAL_AUTHENTICATION_REQUIRED`	This value specifies that account authentication is required through an external identity provider’s authentication flow. The `authenticate` embedded resource link provides the location to redirect the browser to sign on with the specified identity provider.
`PROFILE_DATA_REQUIRED`	This value specifies that user must submit the requested profile data in order to continue the authentication flow.
`COMPLETED`	This value specifies that the entire flow is completed and initiates a browser redirect to the `resumeUrl` property to continue.
`FAILED`	This value specifies that the entire flow has failed.
`PUSH_CONFIRMATION_REQUIRED`	This value specifies that a push was sent to a native device to confirm the authentication. The client will have to poll this status using `GET /{{envID}}/flows/{{flowID}}` to check whether the native device answered the push.
`PUSH_CONFIRMATION_TIMED_OUT`	This value specifies that a push was sent to a native device, but the native device didn’t answer the push during the allowed timeframe.
`ASSERTION_REQUIRED`	This value specifies that for a FIDO2 device type, an assertion generated by the browser from the provided webauthn public key credential request is required to continue the flow. The flow calls the `assertion.check` action.
`AGREEMENT_CONSENT_REQUIRED`	This value specifies that users need to consent to an agreement. This status calls the `user.consent` action.
`DAG_USER_CODE_REQUIRED`	This value specifies that an activation action is required to continue the flow. The flow calls the `deviceAuthGrant.userCode.verify` action.
`DAG_CONSENT_REQUIRED`	This value specifies that users need to consent to a device authorization grant agreement. This status calls the `deviceAuthGrant.consent` action. After accepting consent, a record is stored in the user’s OAuth Scope Consents.
`COMPLETED_ACCEPTED`	This completed state is used for device authorization grants to transition to a completed state. Unlike the `COMPLETED` flow state, this state does not transition the flow to the resume URL.
`COMPLETED_DECLINED`	This completed state is used for device authorization grants to transition to a completed state, and it generates a "device consent declined" audit event.

USERNAME_PASSWORD_REQUIRED

This value specifies that a username and password is required. This status can initiate a usernamePassword.check action, a user.register action, a registration.external action, a password.forgot action, or an authenticate action to sign on using an external identity provider.

PASSWORD_REQUIRED

This value specifies that a password is required. This status initiates a usernamePassword.check action.

SIGN_ON_REQUIRED

This value specifies that a sign-on action is required. This status transitions to a user.lookup action and a registration.external action in a passwordless authentication flow.

RECOVERY_CODE_REQUIRED

This value specifies that the user initiated a password.forgot action and a recovery code must be sent. This status calls the password.recover action.

VERIFICATION_REQUIRED

This value specifies that the user’s account must be verified. This status calls the user.verify action.

OTP_REQUIRED

This value specifies that the user must complete a multi-factor authentication action. This status calls the otp.check action.

DEVICE_SELECTION_REQUIRED

This value specifies that the user must complete a device selection multi-factor authentication action. This status calls the device.select action.

PASSWORD_EXPIRED

This value specifies that a user’s password has expired and must be updated. This status calls the password.reset action.

MUST_CHANGE_PASSWORD

This value specifies that a temporary password must be changed or updated. This status calls the password.reset action.

ACCOUNT_LINKING_REQUIRED

This value specifies that the external identity returned by the identity provider requires an account linking action to link the external account to an existing user. This status can initiate a usernamePassword.check to link to an existing user, a user.register action to create a link to a new user, a registration.external action, or a password.forgot to link to an existing user who has forgotten the password.

ACCOUNT_CONFIRMATION_REQUIRED

This value specifies that the external identity information returned by the identity provider requires an account confirmation action to verify the account data. This status can initiate a user.confirm action to verify the account information.

EXTERNAL_AUTHENTICATION_REQUIRED

This value specifies that account authentication is required through an external identity provider’s authentication flow. The authenticate embedded resource link provides the location to redirect the browser to sign on with the specified identity provider.

PROFILE_DATA_REQUIRED

This value specifies that user must submit the requested profile data in order to continue the authentication flow.

COMPLETED

This value specifies that the entire flow is completed and initiates a browser redirect to the resumeUrl property to continue.

FAILED

This value specifies that the entire flow has failed.

PUSH_CONFIRMATION_REQUIRED

This value specifies that a push was sent to a native device to confirm the authentication. The client will have to poll this status using GET /{{envID}}/flows/{{flowID}} to check whether the native device answered the push.

PUSH_CONFIRMATION_TIMED_OUT

This value specifies that a push was sent to a native device, but the native device didn’t answer the push during the allowed timeframe.

ASSERTION_REQUIRED

This value specifies that for a FIDO2 device type, an assertion generated by the browser from the provided webauthn public key credential request is required to continue the flow. The flow calls the assertion.check action.

AGREEMENT_CONSENT_REQUIRED

This value specifies that users need to consent to an agreement. This status calls the user.consent action.

DAG_USER_CODE_REQUIRED

This value specifies that an activation action is required to continue the flow. The flow calls the deviceAuthGrant.userCode.verify action.

DAG_CONSENT_REQUIRED

This value specifies that users need to consent to a device authorization grant agreement. This status calls the deviceAuthGrant.consent action. After accepting consent, a record is stored in the user’s OAuth Scope Consents.

COMPLETED_ACCEPTED

This completed state is used for device authorization grants to transition to a completed state. Unlike the COMPLETED flow state, this state does not transition the flow to the resume URL.

COMPLETED_DECLINED

This completed state is used for device authorization grants to transition to a completed state, and it generates a "device consent declined" audit event.

Flow status data model and embedded resources

The following sections show the parameters required by the flow status. In addition, the following links and embedded resources are returned in the flow response for the given flow status.

USERNAME_PASSWORD_REQUIRED

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`username`	String	Required	Mutable	A string that specifies the username or ID of the user to authenticate.
`password`	String	Required	Mutable	A string that specifies the password or ID of the user to authenticate.

username

String

Required

Mutable

A string that specifies the username or ID of the user to authenticate.

password

String

Required

Mutable

A string that specifies the password or ID of the user to authenticate.

Links Description

Links	Description
`usernamePassword.check`	The link to initiate a sign-on action that allows users to login with a username and password. The request body requires the `username` and `password` attributes.
`user.register`	The link to initiate a sign-on action to register a user. The request body requires the `username`, `email`, and `password` attributes needed to define a new user.
`registration.external`	The link to redirect a sign-on action to register a user to an external identity provider’s registration workflow.
`password.forgot`	The link to initiate an action to recover a user’s forgotten password. The request body requires the `username` attribute to identify the user.

usernamePassword.check

The link to initiate a sign-on action that allows users to login with a username and password. The request body requires the username and password attributes.

user.register

The link to initiate a sign-on action to register a user. The request body requires the username, email, and password attributes needed to define a new user.

registration.external

The link to redirect a sign-on action to register a user to an external identity provider’s registration workflow.

password.forgot

The link to initiate an action to recover a user’s forgotten password. The request body requires the username attribute to identify the user.

Embedded resources Description

Embedded resources	Description
`socialProviders.authenticate`	The link to the external authentication resource to initiate authentication using an external identity provider’s authentication flow. The response also returns the following information about the identity provider: `id`, `name`, and `type`. For more information, refer to Base identity providers data model.
`passwordPolicy`	The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, refer to Password policies data model.

socialProviders.authenticate

The link to the external authentication resource to initiate authentication using an external identity provider’s authentication flow. The response also returns the following information about the identity provider: id, name, and type. For more information, refer to Base identity providers data model.

passwordPolicy

The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, refer to Password policies data model.

If an associated login action is configured with the enforceLockoutForIdentityProviders property set to true, and the user’s account is locked out (the account.canAuthenticate attribute is set to false), the login flow fails and returns an ACCOUNT_LOCKED_OUT error.

SIGN_ON_REQUIRED

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`username`	String	Required	Mutable	A string that specifies the username or ID of the user to sign on.

username

String

Required

Mutable

A string that specifies the username or ID of the user to sign on.

Links Description

Links	Description
`user.lookup`	The link for existing users to sign on using their `username`.
`registration.external`	The link to redirect a sign-on action to register a user to an external identity provider’s registration workflow.

user.lookup

The link for existing users to sign on using their username.

registration.external

The link to redirect a sign-on action to register a user to an external identity provider’s registration workflow.

PASSWORD_REQUIRED

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`username`	String	Required	Mutable	A string that specifies the username or ID of the user to authenticate. If provided, must match the user currently associated with the session.
`password`	String	Required	Mutable	A string that specifies the password or ID of the user to authenticate.

username

String

Required

Mutable

A string that specifies the username or ID of the user to authenticate. If provided, must match the user currently associated with the session.

password

String

Required

Mutable

A string that specifies the password or ID of the user to authenticate.

Links Description

Links	Description
`usernamePassword.check`	The link to initiate a sign-on action that allows users to log in with a username and password. The request body requires the `username` and `password` attributes.
`password.forgot`	The link to initiate an action to recover a user’s forgotten password. The request body requires the `username` attribute to identify the user.

usernamePassword.check

The link to initiate a sign-on action that allows users to log in with a username and password. The request body requires the username and password attributes.

password.forgot

The link to initiate an action to recover a user’s forgotten password. The request body requires the username attribute to identify the user.

Embedded resources Description

Embedded resources	Description
`socialProviders.authenticate`	The link to the external authentication resource to initiate authentication using an external identity provider’s authentication flow. The response also returns the following information about the identity provider: `id`, `name`, and `type`. For more information, refer to Base identity providers data model.

socialProviders.authenticate

PASSWORD_EXPIRED

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`currentPassword`	String	Required	Mutable	A string that specifies the current password, which must be verified before the new password is set.
`newPassword`	String	Required	Mutable	A string that specifies the new password to set.

currentPassword

String

Required

Mutable

A string that specifies the current password, which must be verified before the new password is set.

newPassword

String

Required

Mutable

A string that specifies the new password to set.

Links Description

Links	Description
`password.reset`	The link to initiate a sign-on action that allows users to reset their password. The request body requires the `currentPassword` and `newPassword` attributes.

password.reset

The link to initiate a sign-on action that allows users to reset their password. The request body requires the currentPassword and newPassword attributes.

Embedded resources Description

Embedded resources	Description
`passwordPolicy`	The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, refer to Password policies data model.

passwordPolicy

The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, refer to Password policies data model.

MUST_CHANGE_PASSWORD

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`currentPassword`	String	Required	Mutable	A string that specifies the current password, which must be verified before the new password is set.
`newPassword`	String	Required	Mutable	A string that specifies the new password to set.

currentPassword

String

Required

Mutable

A string that specifies the current password, which must be verified before the new password is set.

newPassword

String

Required

Mutable

A string that specifies the new password to set.

Links Description

Links	Description
`password.reset`	The link to initiate a sign-on action that allows users to reset their password. The request body requires the `currentPassword` and `newPassword` attributes.

password.reset

The link to initiate a sign-on action that allows users to reset their password. The request body requires the currentPassword and newPassword attributes.

Embedded resources Description

Embedded resources	Description
`passwordPolicy`	The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, refer to Password policies data model.

passwordPolicy

The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, refer to Password policies data model.

RECOVERY_CODE_REQUIRED

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`recoveryCode`	String	Required	Mutable	A string that specifies the recovery code sent to the user to recover the user’s password.
`newPassword`	String	Required	Mutable	A string that specifies the new password to set.

recoveryCode

String

Required

Mutable

A string that specifies the recovery code sent to the user to recover the user’s password.

newPassword

String

Required

Mutable

A string that specifies the new password to set.

Links Description

Links	Description
`password.recover`	The link to initiate an action to recover the account and set a new password. The request body requires the `recoveryCode` and `newPassword` attributes.
`password.sendRecoveryCode`	The link to send the one-time password (OTP) to the user.

password.recover

The link to initiate an action to recover the account and set a new password. The request body requires the recoveryCode and newPassword attributes.

password.sendRecoveryCode

The link to send the one-time password (OTP) to the user.

Embedded resources Description

Embedded resources	Description
`passwordPolicy`	The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, refer to Password policies data model.

passwordPolicy

The embedded password policy resource expanded to show password policy attributes. For more information about password policy attributes, refer to Password policies data model.

VERIFICATION_CODE_REQUIRED

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`verificationCode`	String	Required	Mutable	A string that specifies the verification code to check.

verificationCode

String

Required

Mutable

A string that specifies the verification code to check.

Links Description

Links	Description
`user.verify`	The link to initiate an action to verify the user account to continue the authentication flow.
`user.sendVerificationCode`	The link to initiate an action to send the user a new account verification email.

user.verify

The link to initiate an action to verify the user account to continue the authentication flow.

user.sendVerificationCode

The link to initiate an action to send the user a new account verification email.

DEVICE_SELECTION_REQUIRED

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`device.id`	String	Required	Mutable	A string that specifies the ID of the selected device.

device.id

String

Required

Mutable

A string that specifies the ID of the selected device.

Links Description

Links	Description
`device.select`	The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.

device.select

The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.

Embedded resources Description

Embedded resources	Description
`devices`	The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, refer to Device properties.

devices

The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, refer to Device properties.

OTP_REQUIRED

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`selectedDevice.id`	String	Required	Mutable	A string that specifies the ID of the currently selected device.

selectedDevice.id

String

Required

Mutable

A string that specifies the ID of the currently selected device.

Links Description

Links	Description
`device.select`	The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.
`otp.check`	The link to initiate an action to validate the OTP used in the multi-factor authentication flow.

device.select

The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.

otp.check

The link to initiate an action to validate the OTP used in the multi-factor authentication flow.

Embedded resources Description

Embedded resources	Description
`devices`	The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, refer to Device properties.

devices

The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, refer to Device properties.

PUSH_CONFIRMATION_REQUIRED

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`selectedDevice.id`	String	Required	Mutable	A string that specifies the ID of the currently selected device.

selectedDevice.id

String

Required

Mutable

A string that specifies the ID of the currently selected device.

Links Description

Links	Description
`device.select`	The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.

device.select

The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.

Embedded resources Description

Embedded resources	Description
`devices`	The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, refer to Device properties.

devices

The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, refer to Device properties.

PUSH_CONFIRMATION_TIMED_OUT

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`selectedDevice.id`	String	Required	Mutable	A string that specifies the ID of the currently selected device.

selectedDevice.id

String

Required

Mutable

A string that specifies the ID of the currently selected device.

Links Description

Links	Description
`device.select`	The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.

device.select

The link to initiate an action to specify a device ID to use in the multi-factor authentication flow.

Embedded resources Description

Embedded resources	Description
`devices`	The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, refer to Device properties.

devices

The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, refer to Device properties.

For MFA actions that use push notification on a native device, the user resource must have a native device and an application associated with its user ID. In cases where a push token is sent to an uninstalled application, APNs may not return an unregistered application error. By not returning an error, the MFA flow continues to prompt for push confirmation and can result in a PUSH_CONFIRMATION_TIMED_OUT status.

ACCOUNT_LINKING_REQUIRED

Links Description

Links	Description
`user.register`	The link to initiate a sign-on action that initiates an action to register a user. The request body requires the `username`, `email`, and `password` attributes to define a new user.
`registration.external`	The link to redirect a sign-on action to register a user to an external identity provider’s registration workflow.

user.register

The link to initiate a sign-on action that initiates an action to register a user. The request body requires the username, email, and password attributes to define a new user.

registration.external

The link to redirect a sign-on action to register a user to an external identity provider’s registration workflow.

Embedded resources Description

Embedded resources	Description
`matchedUsers`	An array of 0 or more users that match the external identity. The request returns the `username`, `email`, and `lastSignedOnAt` attributes needed to identify the user.
`identityProviders`	The external identity provider used to authenticate. The request returns the `name` and `type` attributes needed to identify the identity provider used for authentication.

matchedUsers

An array of 0 or more users that match the external identity. The request returns the username, email, and lastSignedOnAt attributes needed to identify the user.

identityProviders

The external identity provider used to authenticate. The request returns the name and type attributes needed to identify the identity provider used for authentication.

ACCOUNT_CONFIRMATION_REQUIRED

Links Description

Links	Description
`user.confirm`	The link to initiate an action to verify the data returned by the external identity provider. The request body can include the returned attributes from the identity provider.

user.confirm

The link to initiate an action to verify the data returned by the external identity provider. The request body can include the returned attributes from the identity provider.

Embedded resources Description

Embedded resources	Description
`attributes`	An array of attributes returned by the external identity provider.

attributes

An array of attributes returned by the external identity provider.

EXTERNAL_AUTHENTICATION_REQUIRED

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`name`	String	Required	Mutable	A string that specifies the name of the identity provider.
`type`	String	Required	Mutable	A string that specifies the identity provider type.

name

String

Required

Mutable

A string that specifies the name of the identity provider.

type

String

Required

Mutable

A string that specifies the identity provider type.

Embedded resources Description

Embedded resources	Description
`identityProvider.authenticate`	A string that specifies the URL for the external identity provider’s sign-on screen to initiate authentication with the external identity provider.
`identityProvider.loginButtonIcon`	A string that specifies the URL for the external identity provider’s login button icon file.

identityProvider.authenticate

A string that specifies the URL for the external identity provider’s sign-on screen to initiate authentication with the external identity provider.

identityProvider.loginButtonIcon

A string that specifies the URL for the external identity provider’s login button icon file.

PROFILE_DATA_REQUIRED

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`displayName`	String	Required	Mutable	A string that specifies the display name as defined in the user schema.
`name`	String	Required	Mutable	A string that specifies the attribute name/path as defined in the user schema (for example, `email`, `address.postalCode`).
`required`	Boolean	Required	Mutable	A boolean that specifies whether the user is required to provide a value for the attribute.

displayName

String

Required

Mutable

A string that specifies the display name as defined in the user schema.

name

String

Required

Mutable

A string that specifies the attribute name/path as defined in the user schema (for example, email, address.postalCode).

required

Boolean

Required

Mutable

A boolean that specifies whether the user is required to provide a value for the attribute.

Links Description

Links	Description
`user.update`	The link to update the specified user’s profile with the user attribute values provided in the request.

user.update

The link to update the specified user’s profile with the user attribute values provided in the request.

Embedded resources Description

Embedded resources	Description
`attributes`	An array of user attributes provided to update the user’s profile.
`attributes.name`	A string that specifies the attribute path, as defined in the user schema (for example, `email`, `name.family`, `address.postalCode`).
`attributes.displayName`	A string that specifies the attribute’s display name, as defined in the user schema. This property is optional.
`attributes.required`	A boolean that specifies whether the user is required to provide a value for the attribute.
`promptText`	A string that specifies text to display to the user when prompting for attribute values.

attributes

An array of user attributes provided to update the user’s profile.

attributes.name

A string that specifies the attribute path, as defined in the user schema (for example, email, name.family, address.postalCode).

attributes.displayName

A string that specifies the attribute’s display name, as defined in the user schema. This property is optional.

attributes.required

A boolean that specifies whether the user is required to provide a value for the attribute.

promptText

A string that specifies text to display to the user when prompting for attribute values.

ASSERTION_REQUIRED

Response property Description

Response property	Description
`publicKeyCredentialRequestOptions`	A string that specifies the public key credential request options object generated for the selected device that should be used to call the `navigator.credentials.get()` on the browser to generate the assertion.

publicKeyCredentialRequestOptions

A string that specifies the public key credential request options object generated for the selected device that should be used to call the navigator.credentials.get() on the browser to generate the assertion.

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`assertion`	String	Required	Mutable	A string that specifies the authenticator assertion response, which contains the signed challenge needed to complete the MFA action.
`compatibility`	String	Optional	Mutable	A string that specifies the browser compatibility to support webauthn. Options are `FULL` (compatible with FIDO2 biometrics and security key), `SECURITY_KEY_ONLY` (compatible with security key only), and `NONE` (browser is not compatible with the webauthn method).
`origin`	String	Required	Mutable	A string that specifies the server name where the fetch originates, providing the URI scheme and hostname (for example, https://apps.pingone.com).

assertion

String

Required

Mutable

A string that specifies the authenticator assertion response, which contains the signed challenge needed to complete the MFA action.

compatibility

String

Optional

Mutable

A string that specifies the browser compatibility to support webauthn. Options are FULL (compatible with FIDO2 biometrics and security key), SECURITY_KEY_ONLY (compatible with security key only), and NONE (browser is not compatible with the webauthn method).

origin

String

Required

Mutable

A string that specifies the server name where the fetch originates, providing the URI scheme and hostname (for example, https://apps.pingone.com).

Links Description

Links	Description
`device.select`	The link to initiate an action to specify a device ID to use in the multi-factor authentication flow. For more information, refer to Select an MFA device.
`assertion.check`	The link to initiate an action to validate the assertion used in the multi-factor authentication flow. For more information, refer to Check assertion.

device.select

The link to initiate an action to specify a device ID to use in the multi-factor authentication flow. For more information, refer to Select an MFA device.

assertion.check

The link to initiate an action to validate the assertion used in the multi-factor authentication flow. For more information, refer to Check assertion.

Embedded resources Description

Embedded resources	Description
`devices`	The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, refer to Devices model properties.

devices

The embedded devices resource expanded to show a list of authenticating devices for this operation. For more information about device attributes, refer to Devices model properties.

AGREEMENT_CONSENT_REQUIRED

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`accept`	Boolean	Required	Mutable	A boolean that specifies whether the user has consented to the agreement. This property is required for a `user.consent` action. The value is `true` if the user has consented to the agreement.

accept

Boolean

Required

Mutable

A boolean that specifies whether the user has consented to the agreement. This property is required for a user.consent action. The value is true if the user has consented to the agreement.

Links Description

user.consent

The link to initiate an action in which the user accepts the agreement.

DAG_USER_CODE_REQUIRED

Parameters Description

userCode

A string that specifies the user code value returned by the device authorization grant authorize request.

Links Description

deviceAuthGrant.userCode.verify

The link to initiate an action to verify the end-user’s user code.

DAG_CONSENT_REQUIRED

Parameters Description

accept

A boolean that specifies whether the user has consented to the agreement. This property is required for a deviceAuthGrant.consent action. The value is true if the user has consented to the agreement.

Links Description

deviceAuthGrant.consent

The link to initiate an action to complete the consent agreement. On accepting the agreement, the flow transitions to the COMPLETED_ACCEPTED flow state; otherwise, it transitions to COMPLETED_DECLINED.

PingOne Platform APIs

PingOne Flows

Common sign-on actions

Workflows

Flow status

Flow status values

Flow status data model and embedded resources

USERNAME_PASSWORD_REQUIRED

SIGN_ON_REQUIRED

PASSWORD_REQUIRED

PASSWORD_EXPIRED

MUST_CHANGE_PASSWORD

RECOVERY_CODE_REQUIRED

VERIFICATION_CODE_REQUIRED

DEVICE_SELECTION_REQUIRED

OTP_REQUIRED

PUSH_CONFIRMATION_REQUIRED

PUSH_CONFIRMATION_TIMED_OUT

ACCOUNT_LINKING_REQUIRED

ACCOUNT_CONFIRMATION_REQUIRED

EXTERNAL_AUTHENTICATION_REQUIRED

PROFILE_DATA_REQUIRED

ASSERTION_REQUIRED

AGREEMENT_CONSENT_REQUIRED

DAG_USER_CODE_REQUIRED

DAG_CONSENT_REQUIRED