---
title: Assertion grant profile for OAuth 2.0 authorization grants
description: The assertion grant profile process takes place between the user or requesting application. client application, PingFederate identity provider (IdP), PingFederate authorization server (AS) and resource server (RS).
component: pingfederate
version: 13.1
page_id: pingfederate:introduction_to_pingfederate:pf_assertion_grant_profile_oauth_20_authorization_grants
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/introduction_to_pingfederate/pf_assertion_grant_profile_oauth_20_authorization_grants.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 8, 2024
section_ids:
  processing-steps: Processing steps
  related-links: Related links
---

# Assertion grant profile for OAuth 2.0 authorization grants

The assertion grant profile process takes place between the user or requesting application. client application, PingFederate identity provider (IdP), PingFederate authorization server (AS) and resource server (RS).

In this scenario, a client obtains an assertion, either a SAML 2.0 bearer assertion or a JSON Web Token (JWT) bearer token, and makes an HTTP request to the PingFederate OAuth AS to exchange the assertion for an access token. The OAuth AS validates the assertion and returns an access token. The client uses the token in an API call to the RS to obtain data.

Flowchart depicting the assertion grant profile process between the User or Requesting Application, Client application, IdP, AS, and RS.Assertion grant profile

## Processing steps

1. A user-initiated or client-initiated event, such as a mobile application or a scheduled task, requests access to software as a service (SaaS) protected resources from an OAuth client application.

2. The client application obtains an assertion from an IdP.

   |   |                                                                                                                                                                                                                                                                                         |
   | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | When using SAML assertions as authorization grants, client applications must obtain assertions that meet the requirements defined in [RFC 7522](https://datatracker.ietf.org/doc/html/rfc7522). Do not use SAML assertions acquired through browser single sign-on (SSO) profiles here. |

3. The client application makes an HTTP request to the PingFederate OAuth AS to exchange the assertion for an access token. The OAuth AS validates the assertion and returns the access token.

4. The client application adds the access token to its API call to the RS. The RS returns the requested data to the client application.

## Related links

* [JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://datatracker.ietf.org/doc/html/rfc7523)

* [Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://datatracker.ietf.org/doc/html/rfc7522)

* [Configuring an OAuth assertion grant IdP connection](../administrators_reference_guide/help_idpconnectionconfigtasklet_oauthsamlgrantattributemappingstate.html)