OAuth 2.0 and PingFederate AS
OAuth 2.0 defines a protocol for securing application access to protected resources by issuing
access tokens to clients of Representational State Transfer (REST) APIs (and non-REST APIs).
Rather than the client directly authenticating to the API using credentials, or the credentials
of a user, OAuth enables the client to authenticate by presenting a previously obtained token.
The token represents (or contains) a set of attributes and/or policies appropriate to the client
and the user. These tokens present less of a security and privacy risk than using secrets (or
passwords) directly on the API call. The attributes are used by the API to authenticate the call
and authorize access.
Wants access to a resource protected by a Resource Server and interacts with an
Authorization Server to obtain access tokens.
Resource Server (RS)
Hosts and protects resources and makes them available to properly authenticated and
Authorization Server (AS)
Issues access tokens and refresh tokens to clients on behalf of the Resource Servers.
Resource Owner (RO)
Denies, grants, or revokes authorization to a client requesting access to resources
protected by the Resource Servers. RO is the end user.
Allows clients to authenticate to a resource server and claim authorizations for accessing
particular resources. Access tokens have specific authorization scope and duration.
Allows clients to obtain a fresh access token without re-obtaining authorization from the
resource owner. It is a long-lived token that a client can trade in to an authorization
server to obtain a new (short-lived) access token (with the same attached authorizations as
the existing access token).
Based on the Internet Engineering Task Force (IETF) OAuth 2.0 Authorization Framework
(tools.ietf.org/html/rfc6749), the OAuth AS in PingFederate supports a wide variety of different
interaction models appropriate for different types of clients such as a server, a desktop
application, or an application on a phone or a tablet.
- Child Topics