Authorization
Authorization is the act of determining whether an authenticated user is allowed to access a resource or perform an action.
In PingOne Advanced Identity Cloud, you use authorization policies to control access to applications, APIs, and protected resources. You can evaluate these policies during authentication, when a client requests access, or when a user must approve a sensitive action before proceeding.
The following table describes some of the use cases for authorization:
| Item | Description |
|---|---|
Application authorization in journeys |
Application journeys let you enforce application-specific access rules during sign-on. For example, you can associate a journey with an OIDC or SAML application and use the App Policy Decision node to evaluate whether the authenticated user is allowed to access that application. Learn more in Authorize application access in journeys. |
Transactional authorization |
Transactional authorization requires a user to authorize each access to a protected resource. For example, a user might need to approve a financial transaction with a one-time password (OTP) or confirm an action with a push notification. Access is granted only for that single request, and later attempts require authorization again. Learn more in Authorize one-time access with transactional authz. |
Dynamic OAuth 2.0 authorization |
Dynamic OAuth 2.0 authorization uses policies to grant or deny requested scopes at runtime. This lets Advanced Identity Cloud decide which scopes to allow for a specific user, client, or request context instead of always granting the same scopes for every token request. Learn more in Dynamic OAuth 2.0 authorization. |
This section describes the following authorization use case in more detail.
| Use case | Description |
|---|---|
Control access to an OIDC application by evaluating the application’s access policy in a journey during authentication. |