PingFederate Server

Assertion grant profile for OAuth 2.0 authorization grants

The assertion grant profile process takes place between the user or requesting application. client application, PingFederate identity provider (IdP), PingFederate authorization server (AS) and resource server (RS).

In this scenario, a client obtains an assertion, either a SAML 2.0 bearer assertion or a JSON Web Token (JWT) bearer token, and makes an HTTP request to the PingFederate OAuth AS to exchange the assertion for an access token. The OAuth AS validates the assertion and returns an access token. The client uses the token in an API call to the RS to obtain data.

Flowchart depicting the assertion grant profile process between the User or Requesting Application, Client application, IdP, AS, and RS.
Assertion grant profile

Processing steps

  1. A user-initiated or client-initiated event, such as a mobile application or a scheduled task, requests access to software as a service (SaaS) protected resources from an OAuth client application.

  2. The client application obtains an assertion from an IdP.

    When using SAML assertions as authorization grants, client applications must obtain assertions that meet the requirements defined in RFC7522. Do not use SAML assertions acquired through browser single sign-on (SSO) profiles here.

  3. The client application makes an HTTP request to the PingFederate OAuth AS to exchange the assertion for an access token. The OAuth AS validates the assertion and returns the access token.

  4. The client application adds the access token to its API call to the RS. The RS returns the requested data to the client application.