PingFederate Server

STS OAuth integration

PingFederate security token service (STS) provides several ways to facilitate the use of issued tokens with an OAuth authorization server (AS).

OAuth token processor

This token processor provides a mechanism through which PingFederate STS can validate an incoming OAuth Bearer access token. The token processor reads and validates the access token and returns any additional user attributes defined.

JWT bearer token grant type

urn:ietf:params:oauth:grant-type:jwt-bearer

This token request returns a JSON Web Token (JWT) that a web service client (WSC) can use to request OAuth access tokens from any OAuth AS that supports using JWTs as authorization grants, as defined in JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification.

OAuth access token with JWT bearer token grant type

oauth-v2:access:token:response\|via\|urn:ietf:params:oauth:grant-type:jwt-bearer

This proprietary token request is similar to the JWT Bearer Token grant type but returns an OAuth access token directly. Acting as an identity provider (IdP), PingFederate generates the intermediate JWT and requests an access token from the OAuth AS on behalf of the WSC. The AS endpoint is obtained from the AppliesTo element of the WS-Trust request security token (RST) message.

SAML 2.0 bearer assertion grant type

urn:ietf:params:oauth:grant-type:saml2-bearer

This token request returns an encoded SAML assertion that a WSC can use to request OAuth access tokens from any OAuth AS that supports the SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants specification.

OAuth access token with SAML 2.0 bearer assertion grant type

oauth-v2:access:token:response\|via\|urn:ietf:params:oauth:grant-type:saml2-bearer

This proprietary token request is similar to the SAML 2.0 Bearer Assertion grant type but returns an OAuth access token directly. Acting as an IdP, PingFederate generates the intermediate, encoded SAML assertion and requests an access token from the OAuth AS on behalf of the WSC. The AS endpoint is obtained from the AppliesTo element of the WS-Trust RST message.

These capabilities bridge the WS-Trust client-STS relationship and the trust relationship the same client with an OAuth AS, allowing the client to obtain additional resources on behalf of already-authenticated users in follow-on transactions.