PingOne Platform APIs

OpenID Connect/OAuth 2 APIs

PingOne integrates with applications that use standards-compliant protocols by taking on the role of an OpenID Connect provider and OAuth 2 authorization server. In this capacity, PingOne provides the framework for connected applications to access protected HTTP resources. For more information about OpenID Connect and OAuth 2, refer to the OpenID Connect 1.0 spec and the OAuth 2.0 Authorization Framework RFC6749.

Authorize endpoints

The authorize endpoints support the following actions:

  • The authorize endpoint /{{envID}}/as/authorize is used to interact with the end user and obtain an authorization grant. Note that PingOne supports both GET and POST operations for authorize requests. The supported parameters for an authorize request vary depending on the value of the response_type parameter (code, token, id_token or combinations of these three options).

  • For non-redirect flows, such as with native mobile apps in which the app renders the end user interface, response_mode property value is set to pi.flow. This setting allows the app to authenticate using the PingOne flows API without needing to handle HTTP redirections. The pi.flow value is also used with transaction approval use cases in which strong authentication is required for elevated security for a high-value transaction, or high-risk resource or service.

For detailed information about OAuth endpoints from the PingOne API Reference, refer to OpenID Connect/OAuth 2.

Token endpoints

The token endpoints support the following actions:

  • The token endpoint /{{envID}}/as/token is used by the client to obtain an access token by presenting its authorization grant.

  • The token introspection endpoint /{{envID}}/as/introspect returns the active state of an OAuth 2.0 token and the claims specified in RFC 7662 Section 2.2.

  • The token revocation endpoint {{envID}}/as/revoke revokes the token specified in the request. This operation does not apply to the tokens issued for the PingOne API resource.

For detailed information about the token endpoints from the PingOne API Reference, refer to Token.

Pushed Authorization Request (PAR) endpoints

Applications can use a pushed authorization request (PAR) to send their authorization requests directly to PingOne without going through the browser, which safeguards sensitive data from end-user devices. With a PAR, an application can push an authorization request payload to PingOne with a direct back-channel request, which is a more secure method of sending sensitive data, such as personally identifiable information, than sending it with a browser on the front channel.

The PAR endpoint accepts the same request parameters as /{{envID}}/as/authorize, as well as any additional parameters needed for client authentication.

For detailed information about the PAR endpoints from the PingOne API Reference, refer to Pushed Authorization Request.