PingFederate Server

Grant-management endpoint

Resource owners use the grant-management endpoint to view, and optionally revoke, the persistent access grants they have made.

Two grant-management endpoints are provided. One is for use with parameters. This endpoint is not part of the OAuth specification, but many OAuth providers offer a similar function.

Grants associated with the USER_KEY of the authenticated user are displayed. The same attribute mappings from the authentication source to USER_KEY, which are used for the authorization endpoint, are used here to look up the user’s existing grants.

Endpoints: /as/grants.oauth2 and /as/oauth_access_grants.ping

The following table describes the available parameters for the /as/grants.oauth2 endpoint. Use only one of them as needed.

Parameter Description

idp or PartnerIdpId

Indicates the entity ID of the connection ID of the identity provider (IdP) with whom to initiate browser single sign-on (SSO) for user authentication.

pfidpadapterid

Indicates the IdP adapter instance ID of the adapter to use for user authentication.

This parameter may be overridden by policy based on authentication selection configuration. For example, the OAuth Scope Authentication Selector could enforce the use of a given adapter based on client-requested scopes.

If no recent user attributes are found for the session context, the user is redirected to /as/oauth_access_grants.ping to initiate the authentication process, which behaves in the same way as the authorization endpoint.