PingFederate STS provides several ways to facilitate the use of issued tokens with an OAuth AS.

OAuth Token Processor

This token processor provides a mechanism through which PingFederate STS can validate an incoming OAuth Bearer access token. The token processor reads and validates the access token and returns any additional user attributes defined.

JWT Bearer Token grant type

urn:ietf:params:oauth:grant-type:jwt-bearer

This token request returns a JSON Web Token that a web service client (WSC) can use to request OAuth access tokens from any OAuth AS that supports using JWTs as authorization grants, as defined in JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (tools.ietf.org/html/rfc7523).

OAuth Access Token via JWT Bearer Token grant type

oauth-v2:access:token:response|via|urn:ietf:params:oauth:grant-type:jwt-bearer

This proprietary token request is similar to the JWT Bearer Token grant type but returns an OAuth access token directly. Acting as an IdP, PingFederate generates the intermediate JWT and requests an access token from the OAuth AS on behalf of the WSC. (The AS endpoint is obtained from the AppliesTo element of the WS-Trust RST message.)

SAML 2.0 Bearer Assertion grant type

urn:ietf:params:oauth:grant-type:saml2-bearer

This token request returns an encoded SAML assertion that a WSC can use to request OAuth access tokens from any OAuth AS that supports the SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants specification (tools.ietf.org/html/draft-ietf-oauth-saml2-bearer).

OAuth Access Token via SAML 2.0 Bearer Assertion grant type

oauth-v2:access:token:response|via|urn:ietf:params:oauth:grant-type:saml2-bearer

This proprietary token request is similar to the SAML 2.0 Bearer Assertion grant type but returns an OAuth access token directly. Acting as an IdP, PingFederate generates the intermediate, encoded SAML assertion and requests an access token from the OAuth AS on behalf of the WSC. (The AS endpoint is obtained from the AppliesTo element of the WS-Trust RST message.)

These capabilities bridge the WS-Trust client-STS relationship and the trust relationship the same client may have with an OAuth AS, allowing the client to obtain additional resources on behalf of already-authenticated users in follow-on transactions.