PingOne

Configuring OAuth 2.0 token exchange

PingOne supports OAuth 2.0 token exchange as an extension of OAuth 2.0, allowing an application to exchange a security token it already has for an access token to access a custom resource. Learn more about the RFC 8693 - OAuth 2.0 Token Exchange specification in the Internet Engineering Task Force (IETF) documentation.

OAuth 2.0 token exchange enhances security by restricting the scope or audience of a token and provides a seamless user experience without requiring the user to re-authenticate when accessing multiple resources.

OAuth 2.0 token exchange enables the following use cases:

  • Impersonation: Allows an application to act as the user. The access token represents the user’s identity, and the custom resource handles the request as if it came from the user.

  • Delegation: Allows an application to act on behalf of a user. The access token contains information about the user (subject) and the application performing the action (actor) on the user’s behalf.

  • Machine-to-machine interaction: Enables server-to-server communication without user involvement

How it works

OAuth 2.0 token exchange allows an application (client) in PingOne to send a token request when accessing protected resources where the application:

  • Uses the token exchange grant type

  • Provides the required subject token and optional actor token as inputs

    • The subject token is the original security token and identifies the entity (user or application) for which the new token is being requested.

    • The actor token provides additional information. For example, it can represent the entity making the request on behalf of the subject, such as in delegation scenarios.

  • Specifies the type of input tokens and output token

What you’ll do

To enable token exchange in PingOne, you can set up the following use cases:

  • Impersonation: Set up an application to act as the user and retrieve information from a custom resource.

  • Delegation: Set up an application to act on behalf of the user when retrieving information from a custom resource.

  • Machine-to-machine interaction: Set up a backend application that can retrieve information from a custom resource without user interaction.

Before you begin

To configure any of the OAuth 2.0 token exchange use cases, you’ll need:

  • A PingOne organization. Learn more in Starting a PingOne trial.

  • A PingOne environment with the PingOne SSO service added.