Page created: 30 Sep 2020
|
Page updated: 1 Oct 2020
Authorization grant is a client redirect based flow. In this scenario:
- The user will be redirected to the PingFederate authorization endpoint via the user agent (i.e. web browser). This user agent will be used to authenticate the end user and allow them to grant access to the client.
- Once the user has been authorized, and intermediate code will be granted by the authorization server and returned to the client application via the user agent.
- Lastly, the client will swap this code for an OAuth access token.
| Capability | |
|---|---|
| Browser-based end user interaction | Yes |
| Can use external IDP for authentication | Yes |
| Requires client authentication | No* |
| Requires client to have knowledge of user credentials | No |
| Refresh token allowed | Yes |
| Access token is in context of end user | Yes |
Note:
Although the authorization code grant type does not require a client secret value, there are security implications to exchanging a code for an access token without client authentication.