Instead of the client directly authenticating to the API using credentials, or the credentials of a user, OAuth enables the client to authenticate by presenting a previously-obtained token. The token represents or contains a set of attributes, policies, or both appropriate to the client and the user. Using these tokens is more secure than using passwords directly on the API call. The attributes are used by the API to authenticate the call and authorize access.

Participants

Client
Wants access to a resource protected by a resource server and interacts with an authorization server to obtain access tokens.
Resource server (RS)
Hosts and protects resources and makes them available to authenticated and authorized clients.
Authorization server (AS)
Issues access tokens and refresh tokens to clients on behalf of the resource servers.
Resource owner (RO)
Denies, grants, or revokes authorization to a client requesting access to resources protected by the resource servers.

Tokens

Access token
Allows clients to authenticate to a resource server and claim authorizations for accessing particular resources. Access tokens have specific authorization scope and duration.
Refresh token
Allows clients to obtain a fresh access token without re-obtaining authorization from the resource owner. A refresh token is a long-lived token that a client can trade in to an authorization server to obtain a new short-lived access token with the same attached authorizations as the existing access token.

PingFederate OAuth AS

Based on the Internet Engineering Task Force (IETF) OAuth 2.0 Authorization Framework, the OAuth AS in PingFederate supports several interaction models for different types of clients such as servers, desktop applications, or mobile applications. Administrators can also enable Cross-origin Resource Sharing (CORS) support for OAuth endpoints.