In this scenario, a user attempts to access a protected resource through a third-party web server client. The client sends an authorization request to the resource server, and receives an authorization code back through a HTTP redirect. The client trades the authorization code for an access token, and uses the token in an API call to obtain data.

Web redirect flow

Processing steps

  1. User navigates to an OAuth client website and requests access to protected resources from another website. Flow chart depicting the process of web redirect flow between the User/Browser, Website (client), PingFederate AS and RS.

    To reduce the risk of code interception attach, the OAuth client can optionally include the parameter code_challenge with or without code_challenge_method . For more information, see step 3 and Flow chart depicting the process of web redirect flow between the User/Browser,Proof Key for Code Exchange by (PKCE) OAuth Public Clients.

  2. The browser is redirected to the PingFederate OAuth AS with a request for authorization.

    If the user is not logged on, the OAuth AS challenges the user to authenticate. The OAuth AS authenticates the user and prompts for authorization. After the user authorizes, the OAuth AS redirects the browser to the requesting site with an authorization code. If the user does not authenticate, the OAuth AS returns an error rather than the authorization code.

  3. The requesting site makes a HTTPS request to the OAuth AS to exchange the authorization code for an access token.

    If the OAuth client has provided the optional parameter code_challenge in step 1, it must submit the corresponding code_verifier in this request.

    The OAuth AS validates the grant and user data associated with the code and then returns an access token.

  4. The requesting site uses the access token in an API call to request user data.
  5. The RS asks PingFederate for verification that the token is valid and has not expired. PingFederate returns data about the user, the granted scope, and the client ID.
  6. Once verified, the RS returns the requested data to the requesting site.
  7. The requesting site displays data from the API call to the user.