Grant types
OAuth 2.0 and OpenID Connect define the authorization grant types by which a client application obtains an authorization grant in the form of an access token.
PingOne supports the following grant types:
- Authorization code
-
This grant type is used by web applications. The authorization request generates an authorization code that is exchanged for an access token. An authorization code expires after 10 minutes.
- Implicit
-
This grant type is intended for use by mobile applications or client-side web applications with no server-side component. The implicit grant type is for applications that cannot guarantee the confidentiality of the client secret.
- Client credentials
-
This grant type is made directly to the token endpoint and is used to request an access token for either:
-
Resources owned by the application rather than a user.
-
Resources belonging to multiple end users.
-
- Device authorization
-
This grant type allows a user to grant authorization to the device client using a browser on a second device, such as a smartphone or computer. The device authorization grant type is typically used to access a protected resource through a device that lacks a browser or has limited user input capabilities, such as a smart TV or appliance.
- Refresh token
-
This grant type is used by applications to exchange a refresh token for an expired access token. It gives applications the ability to acquire a valid access token without additional user interaction. To obtain a refresh token along with an access token, the client must be configured with the
refresh_token
grant type and either theauthorization_code
grant type or thedevice_authorization
grant type.