PingOne

Configuring OAuth 2.0 token exchange

PingOne supports OAuth 2.0 token exchange, allowing an application to exchange a security token it already has for an access token to access a custom resource. Learn more about the RFC 8693 - OAuth 2.0 Token Exchange specification in the Internet Engineering Task Force (IETF) documentation.

OAuth 2.0 token exchange enhances security by restricting the scope or audience of a token and provides a seamless user experience without requiring reauthentication when accessing multiple resources.

PingOne supports many OAuth 2.0 token exchange use cases, including the following examples:

  • Impersonation: Allows an application to act as the user. The access token represents the user’s identity, and the custom resource handles the request as if it came from the user.

  • Delegation: Allows an application to act on behalf of a user. The access token contains information about the user (subject) and the application performing the action (actor) on the user’s behalf.

  • Machine-to-machine interaction: Enables server-to-server communication and shields downstream resources from the original upstream caller.

How it works

OAuth 2.0 token exchange allows an application (client) in PingOne to send a token request when accessing protected resources where the application:

  • Uses the token exchange grant type.

  • Provides the required subject token and optional actor token as inputs.

    • The subject token is the original security token and identifies the entity (user or application) for which the new token is being requested.

    • The actor token provides additional information. For example, it can represent the entity making the request on behalf of the subject, such as in delegation scenarios.

  • Specifies the type of input tokens and output token.

What you’ll do

To enable token exchange in PingOne, you can set up the following use cases:

  • Impersonation: Set up an application to act as the user and retrieve information from a custom resource.

  • Delegation: Set up an application to act on behalf of the user when retrieving information from a custom resource.

  • Machine-to-machine interaction: Set up a backend application to retrieve information from a custom resource, which then retrieves additional information from another resource without exposing that call to the application.

Before you begin

To configure any of the OAuth 2.0 token exchange use cases, you’ll need:

  • A PingOne organization. Learn more in Starting a PingOne trial.

  • A PingOne environment with the PingOne SSO service added.