Authorization and authentication
The following section provides additional information about PingOne platform authorization and authentication workflows. It also includes detailed information about access tokens and ID tokens.
-
Authorization and authentication by application type
PingOne supports several application types. When you define a new application, you must specify the
typeproperty value that best describes the application. -
Authorization flow by grant type
Authorization and authentication sign-on flows depend on the application’s grant type. When you define a new application, you must specify its grant type.
-
PingOne authentication flow states
An application’s sign-on policy determines the flow states and the corresponding actions required to complete the workflow.
-
Access tokens and ID tokens are credential strings that provide authorization to access a protected resource. All tokens in PingOne are signed JSON Web Tokens (JWTs).
-
Postman collection-level authorization
We use Postman to create our PingOne API docs, and have supplied our Postman collections for you to download. There’s also an accompanying Postman Environment template already populated with the variables used in the collections. In PingOne collections, the authorization method is defined at the collection level, and this section describes how to use collection-level request authentication in Postman.
Workflows
-
This activity shows you how to create a simple login using only a username and password.
-
Configure a PKCE authorization workflow
This activity uses a Proof Key for Code Exchange (PKCE) authorization flow, which specifies additional parameters in the request to prevent malicious apps from intercepting the authorization code.
-
Create an MFA Transaction Approval using SMS
This activity shows you how to create a transaction approval MFA authentication flow using a
requesttoken to encode the request parameters in a signed JWT. -
Use LOGIN and MFA Actions to Authenticate Users
This activity shows you how to create a sign-on policy with login and mfa actions.
-
Configure a Progressive Profiling Sign-On Action
This activity shows you how to create a sign-on policy with a progressive profiling action.
-
Use LOGIN and AGREEMENT Actions to Authenticate Users
This activity shows you how to create a sign-on policy with login and agreement actions.
-
Configure an MFA Only Flow Using a Login Hint Token
This activity shows you how to create an MFA only authentication flow using a
login_hint_tokento identify and authenticate the end-user without needing to encode the entire authentication request in a signed JWT. -
Test an OAuth Connection using Identifier First Authentication
This activity shows you how to test an OAuth connection using the identifier first login flow. The identifier first login flow will first prompt a user for a username, and then use the identity provider discovery rules defined in the sign-on policy to route the user to the correct external identity provider for authentication.