Authorization endpoint
The OAuth OAuth authorization server (OAuth AS) uses the authorization endp oint to interact directly with resource owners, authenticate them, and obtain their authorizations.
The OAuth 2.0 Authorization Framework defines the authorization endpoint. Typically, an OAuth client makes an authorization request by directing a resource owner through an HTTP user-agent to the authorization endpoint. After the OAuth AS completes its interaction with the resource owner, the OAuth AS redirects the resource owner’s user-agent back to the client’s redirect URI with the response to the authorization request.
This endpoint can be used in an OAuth Scope Authentication Selector configuration, which can affect the behavior of the endpoint. For example, the This endpoint accepts the HTTP GET and POST methods. |
Endpoint: /as/authorization.oauth2
When transmitting through the HTTP POST method, the required Content-Type
value is application/x-www-form-urlencoded
. The following table describes parameters for this endpoint.
Parameter | Description | ||||
---|---|---|---|---|---|
(Required) |
The client identifier. |
||||
|
When set to |
||||
|
A value of To initiate a Hybrid Flow, multiple response_type values can be specified by space-separating them. When using the Hybrid Flow, some tokens are returned from the Authorization Endpoint and others are returned from the Token Endpoint. For information about multiple-valued response type combinations, see the description of the |
||||
|
To reduce the risk of authorization code interception attack, supply a one-time string value to associate the authorization request with the token request. For more information, see Proof Key for Code Exchange (PKCE) by OAuth Public Clients. Applicable only when
|
||||
|
Applicable only when the This parameter indicates the transformation method used to derive the
The Omitting the |
||||
|
The URI to which PingFederate redirects the resource owner’s user-agent after an authorization is obtained. For OpenID Connect (OIDC) protocol compliance, clients that use the authorization code or implicit grant type must include this parameter in their authorization requests. It is also the default behavior in new PingFederate installations starting with version 9.1.4. For upgraded installations, this requirement remains true for clients that have been configured with more than one redirection URIs. For clients that have been configured with only one redirection URI, this requirement is waived to minimize the impact that it might impose on customers upgrading to version 9.1.4 or a subsequent release. As needed, it can be enabled at a later time.
|
||||
|
Specifies the end-user’s preferred languages for claims being returned in a space-separated list, ordered by preference. The values must conform to the IETF BCP 47 guidelines.
|
||||
|
Provides a hint to the PingFederate AS about the end user. For example, when an OAuth client includes a |
||||
|
Sets an allowable elapsed time in seconds since the end user last authenticated. If the elapsed time exceeds the value of
|
||||
|
A single, self-contained parameter; a signed JSON Web Token (JWT) whose claims represent the request parameters of the authorization request. The OpenID Connect specification calls this JWT a request object. The The If a client is not configured to transmit request parameters in signed request objects and is not configured with a JWKs URL or an actual JWKs, PingFederate ignores the PingFederate can decrypt encrypted request objects, which are described in the .net/specs/openid-connect-core-1_0.html//[OpenID Connect 1.0 specification]. Request objects with asymmetric encryption must be encrypted using the public keys that PingFederate exposes at
For client configuration information, see the Require Signed Request setting in Configuring OAuth clients. For more information about request objects, see RFC 9101: JWT Secured Authorization Request (JAR). |
||||
|
This parameter indicates that the client is using the pushed authorization requests (PAR) protocol to initiate an authorization flow. The client previously pushed an authorization request payload to the PAR endpoint of the AS. The payload can contain any of the parameters that usually comprise an authorization request and any additional parameters needed for client authentication. After the AS validated the request and saved the payload, it sent the Now the client is using the |
||||
|
Expresses the scope of the access request as a list of space-separated, case-sensitive strings. For detailed information about scopes, see Scopes and scope management. |
||||
|
An opaque value used by the client to maintain state between the request and callback. If included, the AS returns this parameter and the given value when redirecting the user agent back to the client. |
||||
|
Specifies the end-user’s preferred languages for OAuth user interactions in a space-separated list, ordered by preference. The values must conform to the IETF BCP 47 guidelines. |
||||
|
A PingFederate OAuth AS parameter indicating the entity ID or the connection ID of the IdP with whom to initiate Browser single sign-on (SSO) for user authentication. |
||||
|
A PingFederate OAuth AS parameter indicating the IdP adapter instance ID of the adapter to use for user authentication.
|
||||
(optional) |
The HTML Form Adapter immediately returns the value of this parameter in the |
If more than one source of authentication is configured in the system and no pfidpadapterid
or idp
parameter is provided, PingFederate provides users with an intermediate page asking them to choose among the available sources of authentication. The authentication results in a set of user attributes that must be mapped into the USER_KEY
attribute for persistent grant storage and the USER_NAME
attribute that displays on the user authorization page.
OpenID Connect parameters
The following table describes OpenID Connect parameters for this endpoint.
Parameter | Description |
---|---|
|
Specifies the Authentication Context Class Reference (acr) values for the AS to use when processing an Authentication Request. Express the values as a space-separated string, and list them in order of preference. |
|
Includes an ID token as a hint to the PingFederate AS about the end user. If the authenticated user does not match the information stored in the ID token, the PingFederate AS rejects the authorization request and returns an error message. |
|
Specifies a string value used to associate a client session with an ID token and to reduce replay attacks. The value passes through unmodified from an authorization request to the ID token. |
|
Specifies whether the AS prompts the end user for reauthentication and consent. Expressed as a list of space-separated, case-sensitive ASCII string values. If included, the client can use this parameter to verify that the end user is still present for the current session or to bring attention to the request. PingFederate supports values of |
OAuth access token management parameters
PingFederate supports multiple access token management (ATM) instances. Clients can specify an ATM instance by providing the ATM ID (access_token_manager_id
) or a resource URI (aud
or resource
) in their requests to the PingFederate OAuth AS.
Parameter | Description | ||
---|---|---|---|
|
The
|
||
|
The |
||
|
The If multiple resource parameters are requested, they must match to a single access token management instance. Otherwise PingFederate aborts the request. |
A match can be an exact match or a partial match where the provided URI has the same scheme and authority parts and a more specific path contained within the path of the pre-configured resource URI. PingFederate takes an exact match over a partial match. If there are multiple partial matches, PingFederate takes the partial match where the provided URI matches more specifically against the pre-configured resource URI.
Example
Example - A partial match
A resource URI of https://app.example.local
is a partial match for the following provided URIs:
-
https://app.example.local/file1.ext
-
https://app.example.local/path/file2.ext
-
https://app.example.local/path/more