PingAM 7.5.1

AM as client and resource server

When AM functions as an OAuth 2.0 client, it provides a session after successfully authenticating the resource owner and obtaining authorization. The client can then access resources protected by agents.

To configure AM as an OAuth 2.0 client, use a Social Provider Handler node or a social authentication module as part of the authentication journey.

The following sequence diagram shows how the client gains access to protected resources in the scenario where AM functions as both authorization server and client:

OAuth 2.0 client and authorization server
Figure 1. OAuth 2.0 client and authorization server

Because the OAuth 2.0 client functionality is implemented as an AM authentication module or node, you do not need to deploy your own resource server implementation when using AM as an OAuth 2.0 client. Use web or Java agents or PingGateway to protect resources.

For more information about configuring AM as an OAuth 2.0 client, refer to Social authentication.

To use your own client and resource server, make sure the resource server implements the logic for handling access tokens and refresh tokens.

The resource server can use the /oauth2/introspect endpoint to determine whether the access token is still valid, and to retrieve the scopes associated with the access token.

To design your own scopes implementation, refer to Customize OAuth 2.0.