The extension grant type provides support for additional grant types extending the OAuth2.0 specifications. An example is the use of the SAML 2.0 Bearer extension grant. In this grant type, a SAML assertion (indicated by step 1 below, however the process used to acquire this SAML assertion is out of scope of this document) can be exchanged for an OAuth 2.0 access token (step 2).

Oauth saml flow

Browser-based end user interaction No*1
Can use external IDP for authentication Yes*2
Requires client authentication No
Requires client to have knowledge of user credentials No
Refresh token allowed No
Access token is in context of end user Maybe*3

*1 - Although the grant type does not allow for user interaction, the process to generate the SAML assertion used in this flow can involve user interaction.

*2 - As long as the PingFederate AS is able to verify the SAML assertion, this assertion can be generated from a foreign STS.

*3 - Access token will be in the context of the subject of the SAML assertion, which may be an end-user a service or the client itself.