--- title: Integrating an OIDC application description: After you add or update an OIDC application, you need to integrate it with PingOne for Enterprise. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_integrate_oidc_application canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_integrate_oidc_application.html revdate: March 30, 2023 section_ids: about-this-task: About this task steps: Steps result: Result: result-2: Result: code-grant-type: Code grant type implicit-grant-type: Implicit grant type hybrid-grant-type: Hybrid grant type --- # Integrating an OIDC application After you [add or update an OIDC application](../pingone_sso_for_saas_apps/p14saas_add_update_oidc_app.html), you need to integrate it with PingOne for Enterprise. ## About this task After adding an OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* application, you need to integrate the application with PingOne for Enterprise, which will act as the OAuth *(tooltip: \
\

A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\

\
)* provider (OP) for your application. Your application then needs to request authorization from the PingOne for Enterprise OAuth authorization endpoint when users attempt to single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* to the application. See the [OpenID Connect Core 1.0 specification](https://openid.net/specs/openid-connect-core-1_0.html) for reference when integrating the application. PingOne for Enterprise returns OIDC user attributes in different ways depending on the `response_type` parameter. The contents of the ID token depend on whether or not the application also returns an access token (If the `response_type` includes `token`). If an access token is returned, the application returns an ID token containing the `sub` and, if requested, `email` scopes. The userinfo endpoint contains all of the attributes for the requested scopes, as well as an attributes configured on the **User Info** tab for the application, if the `openid` scope was requested. If an access token is not returned, the ID token contains all of the attributes for the requested scopes, as well as any attributes configured on the **User Info** tab for the application, if the `openid` scope was requested. The userinfo endpoint is inaccessible in this case because no access token is issued. The access token contains attributes configured at **Applications > OAuth Settings > Access Token**. For more information, see [Configuring your OAuth settings](p14e_configure_oauth_settings.html). The authorization request flow depends on the grant type you have selected for the application. The grant type can be **Authorization code**, **Implicit**, or a hybrid (both code and implicit). For more information, see [OIDC application grant types](p14e_oidc_app_grant_types.html). ## Steps 1. Go to **Applications > My Applications > OIDC**. 2. Click **Expand** to display the summary page for the OIDC application to integrate. ### Result: The PingOne for Enterprise **Discovery URL** for the application is displayed in the **Details** section. The application's client ID value is part of the URL. 3. In a new browser tab, enter the **Discovery URL**. ### Result: ``` {p14e} returns OIDC configuration information, including the endpoints you will use to integrate the application. ``` * Code * Implicit * Hybrid ## Code grant type For any grant type, the application needs to send the authorization request to the PingOne for Enterprise authorization endpoint returned by the **Discovery URL**(`https://sso.connect.pingidentity.com/sso/as/authorization.oauth2`). PingOne for Enterprise validates the `redirect_uri` parameter against the list of redirect URIs specified in the application's configuration. You can find these URIs in the **Authentication Flow** section on the application summary page. If the `redirect_uri` is valid, PingOne for Enterprise sends the response to the specified redirect URI. If your application uses an authorization code grant type, PingOne for Enterprise uses the following process to complete the authorization request: 1. The application sends an authorization request for a code grant type. Here is an example of an authorization request URI: ``` https://sso.connect.pingidentity.com/sso/as/authorization.oauth2?client_id=5f65fdde-44e2-4d1c-be2b-41d5e0d6b903&response_type=code&redirect_uri=https://localhost&scope=openid ``` The following table describes the parameters that make up the authorization request URI. | Parameter | Description | | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `client_id` | Your client ID, assigned by PingOne for Enterprise. You can find this value on the **Details** tab. | | `scope` | The user resources that can be accessed by the application. The `openid` scope is expected to be specified, either as the sole scope value or one of the scope values. | | `response_type` | This must be `code`. An authorization code is then returned in the response. | | `code_challenge` | This PKCE parameter is either plain text or a cryptographic hash of a random string. The random string or plain text must be a `code_verifier` value that you will include in the subsequent token request. Use PKCE only when you aren't using a client secret, including client\_secret in the token request. For more information, see OAuth 2.0 RFC 7636. | | `code_challenge_method` | This PKCE parameter is required only when `code_challenge` is specified.This can be either:- `plain` When the `code_challenge_method` value is plain text - `S256` When the `code_challenge_method` value is an SHA-256 cryptographic hash When you subsequently include the code\_verifier value in the token request, the code\_challenge value and the code\_verifier value must match.For more information, see [OAuth 2.0 RFC 7636](https://tools.ietf.org/html/rfc7636). | 2. The PingOne for Enterprise authorization endpoint returns the authorization code to the application. The HTTPS response will be similar to this: ``` https://localhost/?code=I0YAW2EWll_V8xH4m6b7IJ3WWD1wNZ5BnvkCQw7gknp4z2gQkHCM66AHsbCLA7 ``` 3. The application uses the authorization code returned in the response to request an access token and ID token from the PingOne for Enterprise token endpoint, . Here is an example request using cURL: ```shell curl -k -X POST -H "Accept: application/json" -d 'client_id=cdd237bb-3404-4ad4-90eb-d2e2528xxxxx&client_secret=CpquMknCg9An9Up1Ys2mnVEdKkCDaxtJcJG4adFPBDnPU6SBp7VNGUhyTmaJXXmpR&grant_type=authorization_code&code=ID5d7d1770409374639980ce161952fda57b21db562ff8320b020000016543fxxxxx&redirect_uri=https://example.com\' https://sso.connect.pingidentity.com/sso/as/token.oauth2 ``` Because the authorization request did not include PKCE parameters, the token request must use the client secret value assigned when the application was added to PingOne for Enterprise. You can find the assigned client secret in the **Details** tab. 4. The application validates the `id_token` returned. For more information see the [OpendID Connect Core 1.0 specifications](https://openid.net/specs/openid-connect-core-1_0.html). 5. The application can also optionally validate the token or access token returned. Use the PingOne for Enterprise introspection endpoint returned by the **Discovery URL** `https://sso.connect.pingidentity.com/sso/as/introspect.oauth2` to validate the access token. For access tokens that are signed rather than encrypted, you can also use the JWKS URI returned by the **Discovery URL** `https://sso.connect.pingidentity.com/sso/as/jwks`. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can see your access token settings at **Applications > My Applications > OAuth Settings**.For more information, see [Configuring your OAuth settings](p14e_configure_oauth_settings.html). | ## Implicit grant type For any grant type, the application needs to send the authorization request to the PingOne for Enterprise authorization endpoint returned by the **Discovery URL**(`https://sso.connect.pingidentity.com/sso/as/authorization.oauth2`). PingOne for Enterprise validates the `redirect_uri` parameter against the list of redirect URIs specified in the application's configuration. You can find these URIs in the **Authentication Flow** section on the application summary page. If the `redirect_uri` is valid, PingOne for Enterprise sends the response to the specified redirect URI. If your application uses an authorization implicit grant type, PingOne for Enterprise uses the following process to complete the authorization request: 1. The application sends an authorization request for an implicit grant type. Here is an example of an authorization request URI: ``` https://sso.connect.pingidentity.com/sso/as/authorization.oauth2?client_id=5f65fdde-44e2-4d1c-be2b-41d5e0d6b903&response_type=token id_token&redirect_uri=https://localhost&scope=openid&nonce=123 ``` The following table describes the parameters that make up the authorization request URI. | Parameter | Description | | --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `client_id` | Your client ID, assigned by PingOne for Enterprise. You can find this value on the **Details** tab. | | `scope` | The user resources that can be accessed by the application. The `openid` scope is expected to be specified, either as the sole scope value or one of the scope values. When openid is not specified and the response\_type value indicates id\_token, an id\_token is not returned. | | `response_type` | This can either be `id_token`, `token` (access token), or both. The token or tokens specified are returned in the response. | | `nonce` | This is used to securely associate `client_id` with `id_token`.For more information, see [OpenID Connect Core 1.0 Nonce Implementation Notes](https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes). | 2. The PingOne for Enterprise authorization endpoint returns the `response_type` value to the application. If you included `id_token` and `token` in the authorization request, as in the example, an access token is returned with the `id_token` value in the response. The HTTPS response will be similar to this: ``` https://localhost/#access_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjdBOUMxMDA4REEzMzAwQTExMTYwQkQ1NUFEMUExOEFGQTQ3QzQ2QjEifQ.eyJhdHRydGVzdCI6Im1pbG8iLCJzdWIiOiJtaWxvIiwiaWRwaWQiOiIwYTI1ZTYwYS0xZGQ5LTRlZGMtYTg4ZS01OTJmNDUyYmEyYTQiLCJzY29wZSI6Im9wZW5pZCIsImlzcyI6Imh0dHBzOi8vc3NvLmNvbm5lY3QucGluZ2lkZW50aXR5LmNvbS81ZjY1ZmRkZS00NGUyLTRkMWMtYmUyYi00MWQ1ZTBkNmI5MDMiLCJncm91cHMiOlsiYWJjZGVmZzIxN0BkaXJlY3RvcnkiLCJhYmNkZWZnNTkzQGRpcmVjdG9yeSIsIlVzZXJzQGRpcmVjdG9yeSIsImFiY2RlZmc3ODJAZGlyZWN0b3J5IiwiYWJjZGVmZzUzNEBkaXJlY3RvcnkiLCJhYmNkZWZnNDc0QGRpcmVjdG9yeSIsImFiY2RlZmczMjNAZGlyZWN0b3J5IiwiYWJjZGVmZzI5MkBkaXJlY3RvcnkiLCJhYmNkZWZnMzUwQGRpcmVjdG9yeSIsImFiY2RlZmc5OTNAZGlyZWN0b3J5IiwiYWJjZGVmZzU0NkBkaXJlY3RvcnkiLCJhYmNkZWZnMjYxQGRpcmVjdG9yeSIsImFiY2RlZmcyODdAZGlyZWN0b3J5IiwiYWJjZGVmZzg3MUBkaXJlY3RvcnkiLCJhYmNkZWZnMzYzQGRpcmVjdG9yeSIsImFiY2RlZmc1NjlAZGlyZWN0b3J5IiwiYWJjZGVmZzg5MkBkaXJlY3RvcnkiLCJhYmNkZWZnMTc4QGRpcmVjdG9yeSIsImFiY2RlZmc0NjJAZGlyZWN0b3J5IiwiYWJjZGVmZzc0N0BkaXJlY3RvcnkiLCJhYmNkZWZnNzZAZGlyZWN0b3J5IiwiYWJjZGVmZzUxMkBkaXJlY3RvcnkiLCJhYmNkZWZnMjUzQGRpcmVjdG9yeSIsImFiY2RlZmczNUBkaXJlY3RvcnkiLCJhYmNkZWZnNDc2QGRpcmVjdG9yeSIsImFiY2RlZmc1MzZAZGlyZWN0b3J5IiwiYWJjZGVmZzg4M0BkaXJlY3RvcnkiLCJhYmNkZWZnMjI4QGRpcmVjdG9yeSIsImFiY2RlZmc5OTBAZGlyZWN0b3J5IiwiYWJjZGVmZzk0N0BkaXJlY3RvcnkiLCJhYmNkZWZnMzgyQGRpcmVjdG9yeSIsImFiY2RlZmc2OTNAZGlyZWN0b3J5IiwiYWJjZGVmZzY3OEBkaXJlY3RvcnkiLCJhYmNkZWZnMjI0QGRpcmVjdG9yeSIsImFiY2RlZmc5MjRAZGlyZWN0b3J5IiwiYWJjZGVmZzMxMEBkaXJlY3RvcnkiLCJhYmNkZWZnMzE2QGRpcmVjdG9yeSIsImFiY2RlZmc4NDZAZGlyZWN0b3J5IiwiYWJjZGVmZzk2MkBkaXJlY3RvcnkiLCJhYmNkZWZnMTg3QGRpcmVjdG9yeSIsImFiY2RlZmc2NjFAZGlyZWN0b3J5IiwiYWJjZGVmZzQ5M0BkaXJlY3RvcnkiLCJhYmNkZWZnODNAZGlyZWN0b3J5IiwiYWJjZGVmZzE3MkBkaXJlY3RvcnkiLCJhYmNkZWZnNzIyQGRpcmVjdG9yeSIsImFiY2RlZmcxNDBAZGlyZWN0b3J5IiwiYWJjZGVmZzM5NUBkaXJlY3RvcnkiLCJhYmNkZWZnNTU5QGRpcmVjdG9yeSIsImFiY2RlZmc5MkBkaXJlY3RvcnkiLCJhYmNkZWZnMTEzQGRpcmVjdG9yeSIsImFiY2RlZmc2OTFAZGlyZWN0b3J5IiwiYWJjZGVmZzgwNkBkaXJlY3RvcnkiLCJhYmNkZWZnNjk2QGRpcmVjdG9yeSIsImFiY2RlZmc5MDFAZGlyZWN0b3J5IiwiYWJjZGVmZzE1NkBkaXJlY3RvcnkiLCJhYmNkZWZnNTE2QGRpcmVjdG9yeSIsImFiY2RlZmc3ODVAZGlyZWN0b3J5IiwiYWJjZGVmZzEzM0BkaXJlY3RvcnkiLCJhYmNkZWZnNTQ4QGRpcmVjdG9yeSIsImFiY2RlZmcyODJAZGlyZWN0b3J5IiwiYWJjZGVmZzgyN0BkaXJlY3RvcnkiLCJhYmNkZWZnNTU2QGRpcmVjdG9yeSIsImFiY2RlZmc3ODlAZGlyZWN0b3J5IiwiYWJjZGVmZzkyOEBkaXJlY3RvcnkiLCJhYmNkZWZnNjk5QGRpcmVjdG9yeSIsImFiY2RlZmc0ODNAZGlyZWN0b3J5IiwiYWJjZGVmZzMzMUBkaXJlY3RvcnkiLCJhYmNkZWZnNTYxQGRpcmVjdG9yeSIsImFiY2RlZmc5NkBkaXJlY3RvcnkiLCJhYmNkZWZnNzRAZGlyZWN0b3J5IiwiYWJjZGVmZzk2OUBkaXJlY3RvcnkiLCJhYmNkZWZnOTgzQGRpcmVjdG9yeSIsImFiY2RlZmcxMjFAZGlyZWN0b3J5IiwiYWJjZGVmZzQ3M0BkaXJlY3RvcnkiLCJhYmNkZWZnMjY0QGRpcmVjdG9yeSIsImFiY2RlZmczNTJAZGlyZWN0b3J5IiwiYWJjZGVmZzEzOUBkaXJlY3RvcnkiLCJhYmNkZWZnMzdAZGlyZWN0b3J5IiwiYWJjZGVmZzQxNkBkaXJlY3RvcnkiLCJhYmNkZWZnOTU5QGRpcmVjdG9yeSIsImFiY2RlZmcxNjNAZGlyZWN0b3J5IiwiYWJjZGVmZzc1M0BkaXJlY3RvcnkiLCJhYmNkZWZnNjM3QGRpcmVjdG9yeSIsImFiY2RlZmcyMjlAZGlyZWN0b3J5IiwiYWJjZGVmZzI0MEBkaXJlY3RvcnkiLCJhYmNkZWZnODUwQGRpcmVjdG9yeSIsImFiY2RlZmc2MjNAZGlyZWN0b3J5IiwiYWJjZGVmZzM0NUBkaXJlY3RvcnkiLCJhYmNkZWZnNzM0QGRpcmVjdG9yeSIsImFiY2RlZmc4MzRAZGlyZWN0b3J5IiwiYWJjZGVmZzYyMEBkaXJlY3RvcnkiLCJhYmNkZWZnNzA4QGRpcmVjdG9yeSIsImFiY2RlZmcxODBAZGlyZWN0b3J5IiwiYWJjZGVmZzI0QGRpcmVjdG9yeSIsImFiY2RlZmcyMjJAZGlyZWN0b3J5IiwiYWJjZGVmZzQ4QGRpcmVjdG9yeSIsImFiY2RlZmc1NjRAZGlyZWN0b3J5IiwiYWJjZGVmZzUzOEBkaXJlY3RvcnkiLCJhYmNkZWZnNjI1QGRpcmVjdG9yeSIsImFiY2RlZmcyNThAZGlyZWN0b3J5IiwiYWJjZGVmZzI4MUBkaXJlY3RvcnkiLCJhYmNkZWZnNzY1QGRpcmVjdG9yeSIsImFiY2RlZmcxNjBAZGlyZWN0b3J5IiwiYWJjZGVmZzM0MkBkaXJlY3RvcnkiLCJhYmNkZWZnODg1QGRpcmVjdG9yeSIsImFiY2RlZmc0NjhAZGlyZWN0b3J5Il0sImV4cCI6MTY3OTQyMzg2NCwianRpIjoiSTBQVzU4T0p1clZiRzNBYUFJZ1l2c2Y4ZG5IZUJMN3J2LVJrbUlNa2w5MUZETmZHQnVCM1pSZ2FMQ1RRbWciLCJjbGllbnRfaWQiOiI1ZjY1ZmRkZS00NGUyLTRkMWMtYmUyYi00MWQ1ZTBkNmI5MDMifQ.ACzD2L1YMONzlV1OgpoVejFjbgg-4xBCiZ9mjwlFCRTe0oAykRnQkx52Y7rn-w7reDCUoF-7XjhQGYp4ttUiOFFHRjmAsVtFsLdcLSP3uCtsIU7-Hk45hZdNXkbdFg44GSRNQNegtJYI-YB0qv4_5rr-zVEJV_MR6ZRbUYre2lFiIMtj44CRCkeGA9_kajJY0rcumT9SlbFkNcz8axUSoYKK_D-Eh_pWY4-y54P1FLB0xQ-mwPl28K-DNcO3vxinlnh54X-Xt2Vn3qPBPHSf0wtvb-ko8lzw_dcZmWOjt-ZX8KOBbz3OgBMg2kbP6re0o2aB73gGxHyzwVsuUPhjUg&token_type=Bearer&id_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjdBOUMxMDA4REEzMzAwQTExMTYwQkQ1NUFEMUExOEFGQTQ3QzQ2QjEifQ.eyJhdF9oYXNoIjoiNkUySFpDZjcteHNNV0VmdXpwZDA4ZyIsInN1YiI6Im1pbG8iLCJhdWQiOiI1ZjY1ZmRkZS00NGUyLTRkMWMtYmUyYi00MWQ1ZTBkNmI5MDMiLCJhY3IiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZCIsImlkcGlkIjoiMGEyNWU2MGEtMWRkOS00ZWRjLWE4OGUtNTkyZjQ1MmJhMmE0IiwiYXV0aF90aW1lIjoxNjc5NDIzMTkzLCJpc3MiOiJodHRwczovL3Nzby5jb25uZWN0LnBpbmdpZGVudGl0eS5jb20vNWY2NWZkZGUtNDRlMi00ZDFjLWJlMmItNDFkNWUwZDZiOTAzIiwiZXhwIjoxNjc5NDIzNTY0LCJpYXQiOjE2Nzk0MjMyNjQsIm5vbmNlIjoiMTIzIiwiZW1haWwiOiJtY2FyYm9sK21pbG9AcGluZ2lkZW50aXR5LmNvbSJ9.TsL5pvTDf4dN67pAmFl2Wj2pXav_wMFSfW0T6zTaVRlOalkRbMM3X1l2niXEap8pd7aL8UB9uNTGpGraxErn5Y5quuMm9UhAtTPg0i3kKNPpB7aEx2givttdfvfzbDxap1lXo574u9AdrlCSrebb1pcMWGxiLSQ6tvCX5dpDJ1nfYME8J2kFzWMc856MW2USlDh04ZZuKS7OxaVDd2NP4TSuXihkccC8KKkmIe-4t25ibfPSmFM9K87HOPCzHcce_mbk5lOWZo7HpTgCcTN_kakOrCgJYFv3XWPZXsVi2ACWcYjcE4T23WOhUWU4a30kJ1hh32elLn_Td6OMad9u2w ``` 3. If an `id_token` was included in the authorization request, the application validates the `id_token` returned. For more information, see the [OpendID Connect Core 1.0 specifications](https://openid.net/specs/openid-connect-core-1_0.html). 4. The application can also optionally validate the token (access token) returned. Use the PingOne for Enterprise introspection endpoint returned by the **Discovery URL** `https://sso.connect.pingidentity.com/sso/as/introspect.oauth2` to validate the access token. For access tokens that are signed rather than encrypted, you can also use the JWKS URI returned by the **Discovery URL** `https://sso.connect.pingidentity.com/sso/as/jwks`. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can see your access token settings at **Applications > My Applications > OAuth Settings**.For more information, see [Configuring your OAuth settings](p14e_configure_oauth_settings.html). | ## Hybrid grant type For any grant type, the application needs to send the authorization request to the PingOne for Enterprise authorization endpoint returned by the **Discovery URL**(`https://sso.connect.pingidentity.com/sso/as/authorization.oauth2`). PingOne for Enterprise validates the `redirect_uri` parameter against the list of redirect URIs specified in the application's configuration. You can find these URIs in the **Authentication Flow** section on the application summary page. If the `redirect_uri` is valid, PingOne for Enterprise sends the response to the specified redirect URI. If your application uses both code and implicit grant types, PingOne for Enterprise uses the following process to complete the authorization request: 1. Your applications sends an authorization request for a hybrid grant type. Here's an example of an authorization request URI: ``` https://sso.connect.pingidentity.com/sso/as/authorization.oauth2?client_id=5f65fdde-44e2-4d1c-be2b-41d5e0d6b903&response_type=code token id_token&redirect_uri=https://localhost&scope=openid&nonce=123 ``` The following table describes the parameters contained in the authorization request URI. | Parameter | Description | | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `client_id` | Your client ID, assigned by PingOne for Enterprise. You can find this value on the **Details** tab. | | `scope` | The user resources that can be accessed by the application. The `openid` scope is expected to be specified, either as the sole scope value or one of the scope values. When openid isn't specified and the response\_type value indicates id\_token, an id\_token isn't returned. | | `response_type` | This can be any or all of the following:- `code` - `id_token` (as in the above example) - `token` (access token)The specified tokens are returned in the response along with the authorization code. | | `nonce` | Required when `id_token` is included in `response_type`. It is used to securely associate `client_id` with `id_token`.For more information, see [OpenID Connect Core 1.0 Nonce Implementation Notes](https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes). | | `code_challenge` | This PKCE parameter is either plain text or a cryptographic hash of a random string. The random string or the plain text must be the `code_verifier` value that you will include in the subsequent token request. Use PKCE only when you aren't using a client secret, including client\_secret in the token request. | | `code_challenge_method` | This PKCE parameter is required only when `code_challenge` is specified. This can be either:- `plain` When the `code_challenge` value is plain text. - `S256` When the `code_challenge` value is an SHA-256 cryptographic hash. When you subsequently include the code\_verifier value in the token request, the code\_challenge value and the code\_verifier value must match. | 2. The PingOne for Enterprise authorization endpoint returns the `response_type` value or values to the application. If you included `code`, `id_token`, and `token` in the authorization request, as in the example, an authorization code, `access_token`, and `id_token` are all returned in the response. The HTTPS response will be similar to this (using the fragment response method): ``` https://localhost/#code=I09HefT4OVGqJl1r-HrycCWsIG-rTNBN4BC_P_AyGsw0bEeTdintMtGjWMBfxL&access_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjdBOUMxMDA4REEzMzAwQTExMTYwQkQ1NUFEMUExOEFGQTQ3QzQ2QjEifQ.eyJhdHRydGVzdCI6Im1pbG8iLCJzdWIiOiJtaWxvIiwiaWRwaWQiOiIwYTI1ZTYwYS0xZGQ5LTRlZGMtYTg4ZS01OTJmNDUyYmEyYTQiLCJzY29wZSI6Im9wZW5pZCIsImlzcyI6Imh0dHBzOi8vc3NvLmNvbm5lY3QucGluZ2lkZW50aXR5LmNvbS81ZjY1ZmRkZS00NGUyLTRkMWMtYmUyYi00MWQ1ZTBkNmI5MDMiLCJncm91cHMiOlsiYWJjZGVmZzIxN0BkaXJlY3RvcnkiLCJhYmNkZWZnNTkzQGRpcmVjdG9yeSIsIlVzZXJzQGRpcmVjdG9yeSIsImFiY2RlZmc3ODJAZGlyZWN0b3J5IiwiYWJjZGVmZzUzNEBkaXJlY3RvcnkiLCJhYmNkZWZnNDc0QGRpcmVjdG9yeSIsImFiY2RlZmczMjNAZGlyZWN0b3J5IiwiYWJjZGVmZzI5MkBkaXJlY3RvcnkiLCJhYmNkZWZnMzUwQGRpcmVjdG9yeSIsImFiY2RlZmc5OTNAZGlyZWN0b3J5IiwiYWJjZGVmZzU0NkBkaXJlY3RvcnkiLCJhYmNkZWZnMjYxQGRpcmVjdG9yeSIsImFiY2RlZmcyODdAZGlyZWN0b3J5IiwiYWJjZGVmZzg3MUBkaXJlY3RvcnkiLCJhYmNkZWZnMzYzQGRpcmVjdG9yeSIsImFiY2RlZmc1NjlAZGlyZWN0b3J5IiwiYWJjZGVmZzg5MkBkaXJlY3RvcnkiLCJhYmNkZWZnMTc4QGRpcmVjdG9yeSIsImFiY2RlZmc0NjJAZGlyZWN0b3J5IiwiYWJjZGVmZzc0N0BkaXJlY3RvcnkiLCJhYmNkZWZnNzZAZGlyZWN0b3J5IiwiYWJjZGVmZzUxMkBkaXJlY3RvcnkiLCJhYmNkZWZnMjUzQGRpcmVjdG9yeSIsImFiY2RlZmczNUBkaXJlY3RvcnkiLCJhYmNkZWZnNDc2QGRpcmVjdG9yeSIsImFiY2RlZmc1MzZAZGlyZWN0b3J5IiwiYWJjZGVmZzg4M0BkaXJlY3RvcnkiLCJhYmNkZWZnMjI4QGRpcmVjdG9yeSIsImFiY2RlZmc5OTBAZGlyZWN0b3J5IiwiYWJjZGVmZzk0N0BkaXJlY3RvcnkiLCJhYmNkZWZnMzgyQGRpcmVjdG9yeSIsImFiY2RlZmc2OTNAZGlyZWN0b3J5IiwiYWJjZGVmZzY3OEBkaXJlY3RvcnkiLCJhYmNkZWZnMjI0QGRpcmVjdG9yeSIsImFiY2RlZmc5MjRAZGlyZWN0b3J5IiwiYWJjZGVmZzMxMEBkaXJlY3RvcnkiLCJhYmNkZWZnMzE2QGRpcmVjdG9yeSIsImFiY2RlZmc4NDZAZGlyZWN0b3J5IiwiYWJjZGVmZzk2MkBkaXJlY3RvcnkiLCJhYmNkZWZnMTg3QGRpcmVjdG9yeSIsImFiY2RlZmc2NjFAZGlyZWN0b3J5IiwiYWJjZGVmZzQ5M0BkaXJlY3RvcnkiLCJhYmNkZWZnODNAZGlyZWN0b3J5IiwiYWJjZGVmZzE3MkBkaXJlY3RvcnkiLCJhYmNkZWZnNzIyQGRpcmVjdG9yeSIsImFiY2RlZmcxNDBAZGlyZWN0b3J5IiwiYWJjZGVmZzM5NUBkaXJlY3RvcnkiLCJhYmNkZWZnNTU5QGRpcmVjdG9yeSIsImFiY2RlZmc5MkBkaXJlY3RvcnkiLCJhYmNkZWZnMTEzQGRpcmVjdG9yeSIsImFiY2RlZmc2OTFAZGlyZWN0b3J5IiwiYWJjZGVmZzgwNkBkaXJlY3RvcnkiLCJhYmNkZWZnNjk2QGRpcmVjdG9yeSIsImFiY2RlZmc5MDFAZGlyZWN0b3J5IiwiYWJjZGVmZzE1NkBkaXJlY3RvcnkiLCJhYmNkZWZnNTE2QGRpcmVjdG9yeSIsImFiY2RlZmc3ODVAZGlyZWN0b3J5IiwiYWJjZGVmZzEzM0BkaXJlY3RvcnkiLCJhYmNkZWZnNTQ4QGRpcmVjdG9yeSIsImFiY2RlZmcyODJAZGlyZWN0b3J5IiwiYWJjZGVmZzgyN0BkaXJlY3RvcnkiLCJhYmNkZWZnNTU2QGRpcmVjdG9yeSIsImFiY2RlZmc3ODlAZGlyZWN0b3J5IiwiYWJjZGVmZzkyOEBkaXJlY3RvcnkiLCJhYmNkZWZnNjk5QGRpcmVjdG9yeSIsImFiY2RlZmc0ODNAZGlyZWN0b3J5IiwiYWJjZGVmZzMzMUBkaXJlY3RvcnkiLCJhYmNkZWZnNTYxQGRpcmVjdG9yeSIsImFiY2RlZmc5NkBkaXJlY3RvcnkiLCJhYmNkZWZnNzRAZGlyZWN0b3J5IiwiYWJjZGVmZzk2OUBkaXJlY3RvcnkiLCJhYmNkZWZnOTgzQGRpcmVjdG9yeSIsImFiY2RlZmcxMjFAZGlyZWN0b3J5IiwiYWJjZGVmZzQ3M0BkaXJlY3RvcnkiLCJhYmNkZWZnMjY0QGRpcmVjdG9yeSIsImFiY2RlZmczNTJAZGlyZWN0b3J5IiwiYWJjZGVmZzEzOUBkaXJlY3RvcnkiLCJhYmNkZWZnMzdAZGlyZWN0b3J5IiwiYWJjZGVmZzQxNkBkaXJlY3RvcnkiLCJhYmNkZWZnOTU5QGRpcmVjdG9yeSIsImFiY2RlZmcxNjNAZGlyZWN0b3J5IiwiYWJjZGVmZzc1M0BkaXJlY3RvcnkiLCJhYmNkZWZnNjM3QGRpcmVjdG9yeSIsImFiY2RlZmcyMjlAZGlyZWN0b3J5IiwiYWJjZGVmZzI0MEBkaXJlY3RvcnkiLCJhYmNkZWZnODUwQGRpcmVjdG9yeSIsImFiY2RlZmc2MjNAZGlyZWN0b3J5IiwiYWJjZGVmZzM0NUBkaXJlY3RvcnkiLCJhYmNkZWZnNzM0QGRpcmVjdG9yeSIsImFiY2RlZmc4MzRAZGlyZWN0b3J5IiwiYWJjZGVmZzYyMEBkaXJlY3RvcnkiLCJhYmNkZWZnNzA4QGRpcmVjdG9yeSIsImFiY2RlZmcxODBAZGlyZWN0b3J5IiwiYWJjZGVmZzI0QGRpcmVjdG9yeSIsImFiY2RlZmcyMjJAZGlyZWN0b3J5IiwiYWJjZGVmZzQ4QGRpcmVjdG9yeSIsImFiY2RlZmc1NjRAZGlyZWN0b3J5IiwiYWJjZGVmZzUzOEBkaXJlY3RvcnkiLCJhYmNkZWZnNjI1QGRpcmVjdG9yeSIsImFiY2RlZmcyNThAZGlyZWN0b3J5IiwiYWJjZGVmZzI4MUBkaXJlY3RvcnkiLCJhYmNkZWZnNzY1QGRpcmVjdG9yeSIsImFiY2RlZmcxNjBAZGlyZWN0b3J5IiwiYWJjZGVmZzM0MkBkaXJlY3RvcnkiLCJhYmNkZWZnODg1QGRpcmVjdG9yeSIsImFiY2RlZmc0NjhAZGlyZWN0b3J5Il0sImV4cCI6MTY3OTQyMzkyNywianRpIjoiSTBJaHVwSWNDNS00RW14dXJNMExWeFRDMXlmN19MaTNCbld2QVV5RnZCV2szbWhjXzVqVEFsSUc4cEt3WVAiLCJjbGllbnRfaWQiOiI1ZjY1ZmRkZS00NGUyLTRkMWMtYmUyYi00MWQ1ZTBkNmI5MDMifQ.VcjfY9-yeJ5_BeFvFzlxvriCvJNx6TsEuDK8kw-GVlcTcTWd3MN0cdVYY2XkmihNJzuZbJfzgG3-Ec22npOuyGbYkQQKGsUWJC9oHntAhl2VMPi4YwS7-as4pTRIsdk7-GZ6KgQ5ZXL9Rk9vJmsLpfghEtsYh6SX41-E_PA5LP9fG7BmfK7vnvtIfyVC28C6NAaWT5i-WSJImEcdCL79T9LMlfixUJrY7jfi1cJ7jlr9pPITFOd7eny9g0Q_W2jG2f5Jg8cmK8Pmpd6W1O2xuIKlcamwEP7hF3OkD16kR0v84BT0L2eSyJbeQUmNAOhsHbjza_IfnYawpLM9BgqFQA&token_type=Bearer&id_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjdBOUMxMDA4REEzMzAwQTExMTYwQkQ1NUFEMUExOEFGQTQ3QzQ2QjEifQ.eyJhdF9oYXNoIjoiQzlaWDBNR01SU0dFdVk4bENUUmt5ZyIsInN1YiI6Im1pbG8iLCJhdWQiOiI1ZjY1ZmRkZS00NGUyLTRkMWMtYmUyYi00MWQ1ZTBkNmI5MDMiLCJhY3IiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZCIsImNfaGFzaCI6ImNfaDlDdUxMREozNVRMZkhoeGxsYVEiLCJpZHBpZCI6IjBhMjVlNjBhLTFkZDktNGVkYy1hODhlLTU5MmY0NTJiYTJhNCIsImF1dGhfdGltZSI6MTY3OTQyMzE5MywiaXNzIjoiaHR0cHM6Ly9zc28uY29ubmVjdC5waW5naWRlbnRpdHkuY29tLzVmNjVmZGRlLTQ0ZTItNGQxYy1iZTJiLTQxZDVlMGQ2YjkwMyIsImV4cCI6MTY3OTQyMzYyNywiaWF0IjoxNjc5NDIzMzI3LCJub25jZSI6IjEyMyIsImVtYWlsIjoibWNhcmJvbCttaWxvQHBpbmdpZGVudGl0eS5jb20ifQ.WUMkEQblA5BYYkiIdEvn0-M8BhMNSF4fP5uZyhJRhHduEog-Fc7NMHySzhnhlEsRlC94isjteSJeu2Co_geDjlWt_7xJ-ir0XzExnWh-quCicsuh_uJvpVWr1jKtEt7e0OCnfudnUL6ZEW6_grw9oCrkRb-JU6mktdWWJ4XtMmKYgedqNJP5LJ5t8U4NMyIyj_WPxk20rMGHW1_15LVZ_3ZsYFFj9PH0Jl7hX-0NqYYi6RB0YAeVnJsPdsRvznVzFQ_yP30l80OMuJl_xZtoxqknhaDSg67znHKAGyyZNaBy_QxHausU_hh07NlEDKUuFfEei3CUX9TPMwk0qiSQ4Q ``` 3. If an `id_token` was included in the authorization request, the application validates the `id_token` returned. For more information, see the [OpendID Connect Core 1.0 specifications](https://openid.net/specs/openid-connect-core-1_0.html). 4. If a `token` (access token) was included in the authorization request, the application can also optionally validate the access token returned. Use the PingOne for Enterprise introspection endpoint returned by the **Discovery URL**,`https://sso.connect.pingidentity.com/sso/as/introspect.oauth2`, to validate the access token. For access tokens that are signed rather than encrypted, you can also use the JKWS URI returned by the **Discovery URL**, `https://sso.connect.pingidentity.com/sso/as/jwks`. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can see your access token settings at **Applications > My Applications > OAuth Settings**.For more information, see [Configuring your OAuth settings](p14e_configure_oauth_settings.html). |