PingOne

Grant types

OAuth 2.0 and OpenID Connect define the authorization grant types by which a client application obtains an authorization grant in the form of an access token.

PingOne supports the following grant types:

Authorization code

This grant type is used by web applications. The authorization request generates an authorization code that is exchanged for an access token. An authorization code expires after 10 minutes.

Implicit

This grant type is intended for use by mobile applications or client-side web applications with no server-side component. The implicit grant type is for applications that cannot guarantee the confidentiality of the client secret.

Client credentials

This grant type is made directly to the token endpoint and is used to request an access token for either:

  • Resources owned by the application rather than a user.

  • Resources belonging to multiple end users.

Device authorization

This grant type allows a user to grant authorization to the device client using a browser on a second device, such as a smartphone or computer. The device authorization grant type is typically used to access a protected resource through a device that lacks a browser or has limited user input capabilities, such as a smart TV or appliance.

Refresh token

This grant type is used by applications to exchange a refresh token for an expired access token. It gives applications the ability to acquire a valid access token without additional user interaction. To obtain a refresh token along with an access token, the client must be configured with the refresh_token grant type and either the authorization_code grant type or the device_authorization grant type.