Native and single-page applications
For native applications and single-page applications, the default grant type to request access to protected resources is implicit.
|
Native applications also use the |
For the implicit flow, the application is issued an access token without requiring an authorization code exchange. When the request is made to the /{{envID}}/as/authorize endpoint for an implicit grant type, the value of the response_type parameter is set to token or id_token.
If the request contains the id_token response type and the openid scope, then it is considered an authentication (OpenID Connect) request, and an ID token is issued. The ID token includes the ID of the user; this request can also include the profile, email, address, and phone OIDC scopes to add additional user claims to the ID token.
The following sample shows the GET /{{envID}}/as/authorize operation to return an id_token.
https://auth.pingone.com/{{envID}}/as/authorize?client_id={{appID}}&redirect_uri={{redirect_uri}}&response_type=id_token&scope=openid%20profile%20email&acr_values=Single_Factor&max_age=86400The request can specify the token or id_token response types individually, or both. The following sample shows the GET /{{envID}}/as/authorize operation to return a token and an id_token:
curl --request GET \
--url 'https://auth.pingone.com/{{envID}}/as/authorize?client_id={{appID}}&redirect_uri={{redirect_uri}}&response_type=token id_token&nonce=12345&scope=openid profile p1:read:user&acr_values=Single_Factor&max_age=86400'In this request, the p1:read:user scope is included in the access token but not in the ID token.
The request URL contains the following parameter values:
-
response typeSpecifies the response type for the authorization request. The
implicitgrant type requires aresponse_typeparameter value oftokenorid_token(or both). This parameter is required. -
client_idSpecifies the application’s UUID, returned from a
GET /environments/{{envID}}/applications/{{appID}}request. This parameter is required. -
redirect_uriProvides a URL that specifies the return entry point of the application. This parameter is required.
To ensure proper redirect on some iOS and OSX browsers, the redirect_urivalue must include a trailing slash. For example, a registered URI ofhttps://www.pingidentity.com/redirects properly tohttps://www.pingidentity.com/#access_token=eyJsdf, but a registered URI ofhttps://www.pingidentity.comredirects incorrectly tohttps://www.pingidentity.com/en.html, and the client application would not receive the access token. -
nonceA string that is used to associate a client session with a token to mitigate replay attacks. The value is passed through unmodified from the authentication request to the token. This is a required property for authorization requests that return a
token. It is not required for requests that return only anid_token. -
scopeSpecifies permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources.
-
acr_valuesAn optional parameter that designates whether the authentication request includes specified sign-on policies. Sign-on policy names should be listed in order of preference, and they must be assigned to the application. For more information, refer to Sign-on policies in the PingOne Platform API Reference.
-
max_ageAn optional parameter that specifies the maximum amount of time allowed since the user last authenticated. If the
max_agevalue is exceeded, the user must re-authenticate.
After all login action steps in the flow are completed successfully, the GET /{{envID}}/as/resume endpoint is called to continue processing the authorization request.
https://auth.pingone.com/{{envID}}/as/resume?flowId={{flowID}}The authorization service generates the token or id_token for the application after restarting the authorization flow; it does not require a step to call the /{{envID}}/as/token endpoint.
|
The authorization server can issue refresh tokens to native applications. However, when a native application uses the |