Assertion grant profile for OAuth 2.0 authorization grants - PingFederate

Page created: 12 Sep 2019 |

Page updated: 18 Mar 2020

| 1 min read

PingFederate 10.0 Product Administration User task OAuth Standards, specifications, and protocols Software Deployment Method Product documentation Content Type Administrator Audience

In this scenario, a client obtains an assertion (a SAML 2.0 bearer assertion or a JWT bearer token) and makes an HTTP request to the PingFederate OAuth AS to exchange the assertion for an access token. The OAuth AS validates the assertion and returns an access token. The client uses the token in an API call to the resource server (RS) to obtain data.

Processing steps

Some user-initiated or client-initiated event (for example, a mobile application or a scheduled task) requests access to Software as a Service (SaaS) protected resources from an OAuth client application.
The client application obtains an assertion from an Identity Provider (IdP); for example, the PingFederate IdP server.
Note:
When using SAML assertions as authorization grants, client applications must obtain assertions that meet the requirements defined in RFC7522. Do not use SAML assertions acquired through Browser SSO profiles here. Refer to the specification for more information.
The client application makes an HTTP request to the PingFederate OAuth AS to exchange the assertion for an access token. The OAuth AS validates the assertion and returns the access token.
The client application adds the access token to its API call to the RS. The RS returns the requested data to the client application.

Assertion grant profile for OAuth 2.0 authorization grants - PingFederate - 10.0

PingFederate Server

Processing steps