In this scenario, a user attempts to access a protected resource through a third-party web server client. The client sends an authorization request to the resource server and receives an authorization code back via an HTTP redirect. The client trades the authorization code for an access token, and then uses the token in a API call to obtain data.

Web redirect flow
User/BrowserUser/BrowserWebsite (client)Website (client)PingFederate ASPingFederate ASRSRS1Request to access resourcesRealizes that this request requiresuser data from another site (RS)2Redirect ...... Authorization requestAuthenticates the userRedirect ...... Authorization code3Token requestAccess token4Request to access user data5Validates access token6Requested user data7Requested resources

Processing steps

  1. User navigates to an OAuth client website (the requesting site) and requests access to protected resources from another website.

    The OAuth client can optionally include the parameter code_challenge (with or without code_challenge_method) to reduce the risk of code interception attack. For more information, see step 3 and Proof Key for Code Exchange by (PKCE) OAuth Public Clients (

  2. The browser is redirected to the PingFederate OAuth AS with a request for authorization.

    If the user is not already logged on, the OAuth AS challenges the user to authenticate. The OAuth AS authenticates the user and prompts for authorization. Once the user authorizes, the OAuth AS redirects the browser to the requesting site with an authorization code. If the user does not authenticate, an error is returned rather than the authorization code.

  3. The requesting site makes an HTTPS request to the OAuth AS to exchange the authorization code for an access token.

    If the OAuth client has provided the optional parameter code_challenge in step 1, it must submit the corresponding code_verifier in this request.

    The OAuth AS validates the grant and user data associated with the code and then returns an access token.

  4. The requesting site uses the access token in an API call to request user data.
  5. The resource server (RS) asks PingFederate for verification that the token is valid and has not expired. PingFederate returns data about the user, the granted scope, and the client ID.
  6. Once verified, the RS returns the requested data to the requesting site.
  7. The requesting site displays data from the API call to the user.