--- title: OAuth 2.0 and PingAM description: As an authorization server, PingGateway authenticates resource owners and gets their authorization to return access tokens to clients. component: pinggateway version: 2026 page_id: pinggateway:gateway-guide:oauth2 canonical_url: https://docs.pingidentity.com/pinggateway/2026/gateway-guide/oauth2.html revdate: 2026-01-15 keywords: ["Configuration", "OAuth 2.0", "Authorization", "Scripts", "Certificates", "Keystores", "Truststores", "Passwords"] section_ids: oauth2-introduction: OAuth 2.0 concepts oauth2-client: PingGateway as an OAuth 2.0 client about-oauth2-rs: PingGateway as an OAuth 2.0 resource server next_steps: Next steps --- # OAuth 2.0 and PingAM As an authorization server, PingGateway *authenticates* resource owners and gets their *authorization* to return access tokens to clients. Before you configure OAuth 2.0 in your environment, familiarize yourself with the [OAuth 2.0 authorization framework](https://www.rfc-editor.org/info/rfc6749) and related standards. ## OAuth 2.0 concepts RFC 6749, the [OAuth 2.0 authorization framework](https://www.rfc-editor.org/info/rfc6749) lets a third-party application obtain limited access to a resource (usually user data) on behalf of the resource owner or the application itself. The main actors in the OAuth 2.0 authorization framework are the following: | Actor | Description | | ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Resource owner (RO)** | The owner of the resource. For example, a user who stores their photos in a photo-sharing service.The resource owner uses a *user-agent*, usually a web-browser, to communicate with the client. | | **Client** | The third-party application that wants to access the resource. The client makes requests on behalf of the resource owner and with their authorization. For example, a printing service that needs to access the resource owner's photos to print them.Learn more from [PingGateway as an OAuth 2.0 client](#oauth2-client). | | **Authorization server (AS)** | The authorization service that authenticates the resource owner and/or the client, issues access tokens to the client, and tracks their validity. Access tokens prove that the resource owner authorizes the client to act on their behalf over specific resources for a limited period of time.PingOne Advanced Identity Cloud or PingAM can act as an authorization server. | | **Resource server (RS)** | The service hosting the protected resources. For example, a photo-sharing service. The resource server must be able to validate the tokens issued by the authorization server.Learn more from [PingGateway as an OAuth 2.0 resource server](#about-oauth2-rs). | ## PingGateway as an OAuth 2.0 client PingGateway as an OAuth 2.0 client supports the OAuth 2.0 filters and flows in the following table: | Filter | OAuth 2.0 flow | Description | | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [AuthorizationCodeOAuth2ClientFilter](../reference/AuthorizationCodeOAuth2ClientFilter.html) | [Authorization Code Grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1) | This filter requires the user agent to authorize the request interactively to obtain an access token and optional ID token.The access token is maintained only for the OAuth 2.0 session, and is valid only for the configured scopes.This filter can act as an OpenID Connect relying party or as an OAuth 2.0 client. Use for Web applications running on a server. | | [ResourceOwnerOAuth2ClientFilter](../reference/ResourceOwnerOAuth2ClientFilter.html) | [Resource Owner Password Credentials Grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) | According to information in the [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749#section-10.7), minimize use of this grant type and use other grant types when possible.This filter supports the transformation of client credentials and user credentials to obtain an access token from the Authorization Server. It injects the access token into the inbound request as a Bearer Authorization header. The access token is valid only for the configured scopes.Use for clients trusted with the resource owner credentials. | | [ClientCredentialsOAuth2ClientFilter](../reference/ClientCredentialsOAuth2ClientFilter.html) | [Client Credentials Grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) | This filter is similar to the Resource Owner Password Credentials grant type, but the resource owner is not part of the flow and the client accesses only information relevant to itself.Use when the client is the resource owner, or the client doesn't act on behalf of the resource owner. | ## PingGateway as an OAuth 2.0 resource server The following image illustrates the steps for a client application to access a user's protected resources, with AM as the Authorization Server and PingGateway as the resource server: ![{projectName} as an OAuth 2.0 resource server handling OAuth 2.0 requests](https://kroki.io/plantuml/svg/eNqFU0Fu2zAQvPMViyBALrXT-tACPQQQfAhyKBxIRU-60NJKJCKT6pKy4hZ9UL_Rl3VXlI04dVteBK5mdoacpbq9UbD2_YFsayL8-gmrt-8-wII_q_fwaF0LDzW6aOOBYdR70tF6pxR8NjZA5WsE_kYPW4QhYA34XHVDsHvsDmAdI5zDSjgw2mj-0RKCb-KoCcETBKS9rTAs1d8Z4B1r-KZBChCGylzsIN46bHUHUweLQcFoPBi9RykhsWnrGKVha10tah0TXUDQLSHuGPQf70t1c6uUHqJ3w26LpHpN0Va210y9Alk5Bj9QhZBW6TajQ7oCHSDfXMDDurMifMJnfc-2JrmJxftzWjZE48l-S3dT8PGRSiees0-JUfyhc3KV4KIjhHsdcdSH5K5QSrHY4i7ffIRzEcKvA4ao8s3ijiGvf7fEOjM5Ky7_zYojteKwJK0ndEfB4nU5L1L1nvQWosFUh4b8Tralmx2BQV1zDoIX5XwuJ_hed7aeTJQOtJP4G0-7NIbZLPHQvBDgEZ9Ib0o5dOg9k6aReMk8mvuS2jPX6HjWpHSanwLPnYgaLVPbNJyHBB0q3_NsnrqsCaWHw1HeUMTnCCyVTnkp6tlXQPbIstffZ1ZYeh5Ms_qRLkOu-pF85DfJc09z_kH9BiLSZow=?id=resource-server)Figure 1. PingGateway as an OAuth 2.0 resource server handling OAuth 2.0 requests * The application obtains an *authorization grant*, representing the resource owner's consent. Learn more about the different OAuth 2.0 grant mechanisms supported by AM in the AM documentation on [OAuth 2.0 grant flows](https://docs.pingidentity.com/pingam/8.1/am-oauth2/oauth2-implementing-flows.html). * The application authenticates to the Authorization Server and requests an *access token*. The Authorization Server returns an access token to the application. An OAuth 2.0 access token is an opaque string issued by the authorization server. When the client interacts with the resource server, the client presents the access token in the `Authorization` header. For example: ```http Authorization: Bearer 7af...da9 ``` Access tokens are the credentials to access protected resources. The advantage of access tokens over passwords or other credentials is that access tokens can be granted and revoked without exposing the user's credentials. The access token represents the authorization to access protected resources. Because an access token is a bearer token, anyone who has the access token can use it to get the resources. Access tokens must therefore be protected, so that requests involving them go over HTTPS. In OAuth 2.0, the token scopes are strings that identify the scope of access authorized to the client, but can also be used for other purposes. * The application supplies the access token to the resource server, which then resolves and validates the access token by using an access token resolver, as described in [PingGateway access token resolvers](../reference/AccessTokenResolvers.html). If the access token is valid, the resource server permits the client access to the requested resource. The [OAuth2ResourceServerFilter](../reference/OAuth2ResourceServerFilter.html) grants access to a resource by using an OAuth 2.0 access token from the HTTP Authorization header of a request. When auditing is enabled, OAuth 2.0 token tracking IDs can be logged in access audit events for routes that contain an OAuth2ResourceServerFilter. Learn more in [Auditing the PingGateway deployment](../maintenance-guide/auditing.html) and [PingGateway audit framework](../reference/AuditFramework.html). ## Next steps * [Validating PingAM access tokens with introspection](oauth2-rs-introspect.html) * [Scripting required scopes with PingAM](oauth2-rs-script-scopes.html) * [Validating PingAM stateless access tokens](oauth2-rs-stateless.html) * [With JwkSetSecretStore and PingAM](oauth2-rs-stateless-signed-sat.html) * [Signed PingAM tokens with KeyStoreSecretStore](oauth2-rs-stateless-signed-ksss.html) * [Encrypted PingAM tokens with KeyStoreSecretStore](oauth2-rs-stateless-encrypted.html) * [Mutual TLS with PingAM](oauth2-rs-introspect-mtls.html) * [mTLS with PingAM using client certificates](oauth2-rs-introspect-mtls-certificate.html) * [mTLS with PingAM and trusted headers](oauth2-rs-introspect-mtls-header.html) * [OAuth 2.0 context for authentication with PingAM](oauth2-rs-pwreplay.html) * [Caching PingAM access tokens](oauth2-rs-cacheatr.html) * [Client credentials grant with PingAM](oauth2-clientcredentials.html) * [Resource owner password credentials grant with PingAM](oauth2-resourceowner.html)