PingOne for Enterprise

Code grant type

For any grant type, the application needs to send the authorization request to the PingOne SSO for SaaS Apps authorization endpoint returned by the Discovery URL(https://sso.connect.pingidentity.com/sso/as/authorization.oauth2).

PingOne SSO for SaaS Apps sends the response to the authorization request to the URL you assigned to the Redirect (Callback) URI setting when you created the application. You can find this URL in the Authentication Flow section on the application summary page.

PingOne SSO for SaaS Apps validates the redirect_uri parameter against the list of redirect URIs specified in the application’s configuration. You can find these URIs in the Authentication Flow section on the application summary page. If the redirect_uri is valid, PingOne SSO for SaaS Apps sends the response to the specified redirect URI.

If your application uses an authorization code grant type, PingOne SSO for SaaS Apps uses the following process to complete the authorization request:

  1. The application sends an authorization request for a code grant type.

    Here is an example of an authorization request URI:

    https://sso.connect.pingidentity.com/sso/as/authorization.oauth2?client_id=cdd237bb-3404-4ad4-90eb-d2e2528xxxxx&scope=openid&response_type=code

    The following table describes the parameters that make up the authorization request URI.

    Parameter Description

    client_id

    Your client ID, assigned by PingOne for Enterprise. You can find this value on the Details tab.

    scope

    The user resources that can be accessed by the application. The openid scope is expected to be specified, either as the sole scope value or one of the scope values.

    response_type

    This must be code. An authorization code is then returned in the response.

    code_challenge

    This PKCE parameter is either plain text or a cryptographic hash of a random string. The random string or plain text must be a code_verifier value that you will include in the subsequent token request.

    Use PKCE only when you aren’t using a client secret, including client_secret in the token request.

    For more information, see OAuth 2.0 RFC 7636.

    code_challenge_method

    This PKCE parameter is required only when code_challenge is specified.

    This can be either:

    • plain When the code_challenge_method value is plain text

    • S256 When the code_challenge_method value is an SHA-256 cryptographic hash

    When you subsequently include the code_verifier value in the token request, the code_challenge value and the code_verifier value must match.

    For more information, see OAuth 2.0 RFC 7636.

    login_hint

    Used to specify either the idpid or an email domain.

    If you specify the idpid, the user is redirected to the IdP associated with the idpid value for the current application, identified in PingOne SSO for SaaS Apps by the saasid parameter.

    If you specify an email domain as the login_hint value, the domain must be included in the IdP Discovery configuration for the application and tenant.

    For more information about IdP Discovery for your connection type, see:

  2. The PingOne for Enterprise authorization endpoint returns the authorization code to the application.

    The HTTPS response will be similar to this:

    https://example.com/#code=IDa4e54a98b90b234476819295a791e4a95bbb9a6e1a3095b50200000164fbeb8b43

  3. The application uses the authorization code returned in the response to request an access token and ID token from the PingOne for Enterprise token endpoint, https://sso.connect.pingidentity.com/sso/as/token.oauth2 .

    Here is an example request using cURL:

    curl -k -X POST -H "Accept: application/json" -d 'client_id=cdd237bb-3404-4ad4-90eb-d2e2528xxxxx&client_secret=CpquMknCg9An9Up1Ys2mnVEdKkCDaxtJcJG4adFPBDnPU6SBp7VNGUhyTmaJXXmpR&grant_type=authorization_code&code=ID5d7d1770409374639980ce161952fda57b21db562ff8320b020000016543fxxxxx&redirect_uri=https://example.com\' \https://sso.connect.pingidentity.com/sso/as/token.oauth2

    Because the authorization request did not include PKCE parameters, the token request must use the client secret value assigned when the application was added to PingOne SSO for SaaS Apps. You can find the assigned client secret in the Details tab.

  4. The application validates the id_token returned. For more information see the OpendID Connect Core 1.0 specifications.

  5. The application can also optionally validate the token or access token returned.

    Use the PingOne for Enterprise introspection endpoint returned by the Discovery URL https://sso.connect.pingidentity.com/sso/as/introspect.oauth2 to validate the access token.

    For access tokens that are signed rather than encrypted, you can also use the JWKS URI returned by the Discovery URL https://sso.connect.pingidentity.com/sso/as/jwks.

    You can see your access token settings at Applications > My Applications > OAuth Settings.

    For more information, see Configuring your OAuth settings.