Authorization flow by grant type
The authorization request flow depends on the grant type you have selected for the application.
-
If the application’s grant type is
authorization_code, PingOne returns an authorization code in the response to the application’s authorization request. The authorization code is used by the/as/tokenendpoint to get an ID token, an access token, or both. -
If the application’s grant type is
implicit, the response to the authorization request is anid_token, atoken(access token), or both, depending on the value of theresponse_typeparameter in the authorization request. -
In a hybrid authorize flow, an authorization code is returned from the authorization endpoint, some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. The authorization endpoint’s
response_typeproperty specifies thecodetype and it also specifiesid_token, ortoken, or both. -
For added security, you can also include Proof Key for Code Exchange (PKCE) parameters in the authorization request for the code and hybrid grant types. PKCE for OAuth uses either plain text or a cryptographic hash of a random string that is included in the authorization request (
code_challenge) along with the encoding method used (code_challenge_method). When the authorization code is issued in the response, the original plain text or random string (code_verifier) is included in the token request. -
If the grant type is
device_code, PingOne returns an activation code in the response to thePOST /{{envID}}/as/device_authorizationrequest. It starts a flow that gives OAuth-enabled devices, such as smart TVs, the ability to complete user authorization and access protected resources.
|
The PingOne platform also supports the |