--- title: OpenID Connect endpoints description: Specific endpoints are needed for PingFederate or another token provider to interface with PingAccess using the OpenID Connect (OIDC) protocol. component: pingaccess version: 9.1 page_id: pingaccess:reference_guides:pa_oidc_endpoints canonical_url: https://docs.pingidentity.com/pingaccess/9.1/reference_guides/pa_oidc_endpoints.html revdate: June 15, 2023 section_ids: paoidccb: /pa/oidc/cb oidc-deviceAuthz: /pa/oidc/deviceAuthzGrantPoll paoidcjwks: /pa/oidc/JWKS paoidclogout: /pa/oidc/logout paoidclogout-png: /pa/oidc/logout.png --- # OpenID Connect endpoints Specific endpoints are needed for PingFederate or another token provider to interface with PingAccess using the OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* protocol. These endpoints are available on the `engine.http.port` and `agent.http.port` ports defined in the `/conf/run.properties` file. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you selected the **Use context root as reserved resource base path** check box on your PingAccess application, this feature creates an instance of any reserved PingAccess resources under the application's context root. As such, the context root of the application needs to prepend the reserved context application root (`/pa` by default) in any file paths that reference it.If the context root of your application is `myApp`, the paths to the OIDC endpoints would be:- `/myApp/pa/oidc/logout` - `/myApp/pa/oidc/cb` - `/myApp/pa/oidc/JWKS` - `/myApp/pa/oidc/logout.png` | ## /pa/oidc/cb The `/pa/oidc/cb` endpoint, along with the application virtual host, becomes the redirect Uniform Resource Identifier (URI) *(tooltip: \
\

Identifies a web resource with a string of characters conforming to a specified format.\

\
)* for the token provider configuration on the client. ## /pa/oidc/deviceAuthzGrantPoll PingAccess uses the `/pa/oidc/deviceAuthzGrantPoll` endpoint to check if the token provider has received a response from a user's device and authenticated their request for access. Polling begins on the **Continue on another device** page after a user visits the **Connect a device** page and approves the user code submission. Learn more in the [Device authorization grant](../pingaccess_user_interface_reference_guide/pa_authentication.html#device-authz-grant) system-provided ACP and the [Device authorization challenge ACR generator description](../pingaccess_user_interface_reference_guide/pa_acr_generator_descriptions.html#device). ## /pa/oidc/JWKS The token provider's JSON Web Token (JWT) *(tooltip: \
\

An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. You can find the industry standard in \RFC 7519\.\

\
)* token processor uses the `/pa/oidc/JWKS` endpoint to verify signatures. This endpoint must be used alongside a JWT token processor instance in the token provider configuration. If using PingFederate as the token provider, learn more in [Configuring JSON token management](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_access_token_management_instance.html#:~:text=Reference%2Dtoken%20management-,JSON,-token%20management) in the PingFederate documentation. ## /pa/oidc/logout The `pa/oidc/logout`endpoint clears the browser cookie containing the PingAccess token. This enables end users to trigger the removal of their own PingAccess cookie from the browser they're using, which redirects them to the **Logged out** page. You can modify the **Logged out** page template in the `/conf/template/general.loggedout.page.template.html` file. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This endpoint doesn't retain any server-side state to indicate sign-off status.- If you selected the **Use Single-Logout** option when configuring the token provider, this endpoint also sends a sign-off request to the token provider, completing a full single logout (SLO) *(tooltip: \
\

The process of signing a user out of multiple sites where the user has started a SSO session.\

\
)* flow. - If you didn't select the **Use Single-Logout** option when configuring the token provider, this endpoint clears the cookie only from the requested host or domains. This means that the cookie might still exist in requests bound for other hosts or domains. | ## /pa/oidc/logout.png The token provider uses the `/pa/oidc/logout.png` endpoint to initiate sign off from PingAccess alongside SLO functionality. This stops the PingAccess token across domains.