OAuth 2.0 defines a protocol for securing application access to protected resources by issuing access tokens to clients of Representational State Transfer (REST) APIs (and non-REST APIs). Rather than the client directly authenticating to the API using credentials, or the credentials of a user, OAuth enables the client to authenticate by presenting a previously obtained token. The token represents (or contains) a set of attributes and/or policies appropriate to the client and the user. These tokens present less of a security and privacy risk than using secrets (or passwords) directly on the API call. The attributes are used by the API to authenticate the call and authorize access.


Wants access to a resource protected by a resource server and interacts with an authorization server to obtain access tokens.
Resource server (RS)
Hosts and protects resources and makes them available to properly authenticated and authorized clients.
Authorization server (AS)
Issues access tokens and refresh tokens to clients on behalf of the resource servers.
Resource owner (RO)
Denies, grants, or revokes authorization to a client requesting access to resources protected by the resource servers. RO is the end user.


Access Token
Allows clients to authenticate to a resource server and claim authorizations for accessing particular resources. Access tokens have specific authorization scope and duration.
Refresh Token
Allows clients to obtain a fresh access token without re-obtaining authorization from the resource owner. It is a long-lived token that a client can trade in to an authorization server to obtain a new (short-lived) access token (with the same attached authorizations as the existing access token).

PingFederate OAuth AS

Based on the Internet Engineering Task Force (IETF) OAuth 2.0 Authorization Framework (tools.ietf.org/html/rfc6749), the OAuth AS in PingFederate supports a wide variety of different interaction models appropriate for different types of clients such as a server, a desktop application, or an application on a phone or a tablet. As needed, administrators can also enable cross-origin resource sharing (CORS) support for OAuth endpoints.