The user authorization endpoint allows a user to grant authorization to a device client using a browser on a second device, such as a smart phone or a computer.
Based on the OAuth 2.0 Device Authorization Grant specification, the user goes to the user authorization endpoint of the PingFederate authorization server (AS) to complete the authorization process.
Note:
This endpoint accepts the HTTP GET and POST methods.
Endpoint: /as/user_authz.oauth2
The following table describes parameter for this endpoint. The required
Content-Type value is application/x-www-form-urlencoded
when transmitting via the HTTP POST method.
Parameter | Description |
---|---|
user_code (Optional) |
The value represents the activation code. |
Both the request and the response follow the specification.
- Sample request
-
POST /as/user_authz.oauth2 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: www.example.com ... user_code=QQWP-TJ6B
- Subsequent responses
-
- Phase 1: Activation code verification
- If the verification request does not include an activation code, PingFederate returns the Connect a device (user code prompt) page, prompting the user to enter the activation code shown by the device.
- Phase 2: Authentication
- PingFederate prompts the user to fulfill the authentication requirements based on OAuth grant mapping configurations and authentication policies.
- Phase 3: Authorization
- PingFederate returns the Request for Approval page, prompting the user to approve (or deny) the requested scopes. PingFederate skips this step if the Bypass Authorization Approval option is enabled globally or individually for that invoking client and the user has granted authorization for the requested scopes previously.