---
title: Authorization flow
description: When using the PingOne MFA IdP Adapter through the PingFederate authentication application programming interface (API), the following flow is used for requesting authorization using a push notification to the user's paired mobile app.
component: pingone
page_id: pingone:pingone_mfa_integration_kit:pf_p1_mfa_ik_authorization_flow
canonical_url: https://docs.pingidentity.com/integrations/pingone/pingone_mfa_integration_kit/pf_p1_mfa_ik_authorization_flow.html
revdate: June 15, 2024
section_ids:
  authorization-via-the-mobile-app: Authorization via the mobile app
---

# Authorization flow

When using the PingOne MFA IdP Adapter through the PingFederate authentication application programming interface (API) *(tooltip: \<div class="paragraph">
\<p>A specification of interactions available for building software to access an application or service.\</p>
\</div>)*, the following flow is used for requesting authorization using a push notification to the user's paired mobile app.

## Authorization via the mobile app

![A flow diagram showing the authorization process](_images/qjy1611964552690.png)

1. The user completes first-factor authentication. Completion of first-factor authentication is a prerequisite before progressing to multi-factor authentication (MFA) *(tooltip: \<div class="paragraph">
   \<p>An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\</p>
   \</div>)*, when using the PingOne MFA IdP Adapter with the PingFederate Authentication API flow.

2. The status of `AUTHENTICATION_REQUIRED` is returned in the response to the Mobile app (API client).

3. The Mobile app (API client) gets a mobile payload from the mobile SDK.

4. The Mobile app (API client) invokes the `authenticate` action, using the mobile payload.

5. The status of `PUSH_CONFIRMATION_WAITING` together with the `selectedDeviceRef` object are returned in the response to the Mobile app (API client).

6. The Mobile app (API client) invokes the `poll` action, so that PingFederate gets the status of the mobile push. This is repeated until either a successful status is received or a timeout is reached.

7. The status of `MFA_COMPLETED` together with the `device_authorized` code are returned in the response to the Mobile app (API client).

8. The Mobile app (API client) invokes the `continueAuthentication` action. The Mobile app (API client) must call `continueAuthentication` in order to progress in the OIDC flow, and to complete it.

9. PingFederate returns an access token to the Mobile app (API client).