Authorization grant is a client redirect based flow. In this scenario:

  1. The user will be redirected to the PingFederate authorization endpoint via the user agent (i.e. web browser). This user agent will be used to authenticate the end user and allow them to grant access to the client.
  2. Once the user has been authorized, and intermediate code will be granted by the authorization server and returned to the client application via the user agent.
  3. Lastly, the client will swap this code for an OAuth access token.

Oauth flow

Browser-based end user interaction Yes
Can use external IDP for authentication Yes
Requires client authentication No*
Requires client to have knowledge of user credentials No
Refresh token allowed Yes
Access token is in context of end user Yes
Note: Although the authorization code grant type does not require a client secret value, there are security implications to exchanging a code for an access token without client authentication.