The extension grant type provides support for additional grant types extending the OAuth2.0 specifications. An example is the use of the SAML 2.0 Bearer extension grant. In this grant type, a SAML assertion (indicated by step 1 below, however the process used to acquire this SAML assertion is out of scope of this document) can be exchanged for an OAuth 2.0 access token (step 2).
| Capability | |
|---|---|
| Browser-based end user interaction | No*1 |
| Can use external IDP for authentication | Yes*2 |
| Requires client authentication | No |
| Requires client to have knowledge of user credentials | No |
| Refresh token allowed | No |
| Access token is in context of end user | Maybe*3 |
*1 - Although the grant type does not allow for user interaction, the process to generate the SAML assertion used in this flow can involve user interaction.
*2 - As long as the PingFederate AS is able to verify the SAML assertion, this assertion can be generated from a foreign STS.
*3 - Access token will be in the context of the subject of the SAML assertion, which may be an end-user a service or the client itself.