The extension grant type provides support for additional grant types extending the OAuth2.0 specifications. An example is the use of the SAML 2.0 Bearer extension grant. In this grant type, a SAML assertion (indicated by step 1 below, however the process used to acquire this SAML assertion is out of scope of this document) can be exchanged for an OAuth 2.0 access token (step 2).
|Browser-based end user interaction||No*1|
|Can use external IDP for authentication||Yes*2|
|Requires client authentication||No|
|Requires client to have knowledge of user credentials||No|
|Refresh token allowed||No|
|Access token is in context of end user||Maybe*3|
*1 - Although the grant type does not allow for user interaction, the process to generate the SAML assertion used in this flow can involve user interaction.
*2 - As long as the PingFederate AS is able to verify the SAML assertion, this assertion can be generated from a foreign STS.
*3 - Access token will be in the context of the subject of the SAML assertion, which may be an end-user a service or the client itself.