To obtain an access token, a client interacts with an OAuth authorization server (AS), sending a request for an access token that includes an access grant. An access grant is also used when a resource server (RS) requests validation of an access token from the AS.
Primary grant types
OAuth defines several different access grant types. Each grant type reflects different authorization mechanisms.
- Authorization code
-
authorization_code
- Resource owner password credentials
password
- Refresh token
refresh_token
- Implicit
implicit
- Client credentials
client_credentials
Extension grant types
OAuth provides an extension mechanism for defining new extension grant types to support additional clients or to provide a bridge between OAuth and other trust frameworks. An OAuth client uses an extension grant type by specifying an absolute URI as the value of the grant_type parameter and by adding any additional parameters necessary when contacting the token endpoint at /as/token.oauth2.
PingFederate supports the following extension grant types:
- Assertion grants
-
- JWT Bearer
-
urn:ietf:params:oauth:grant-type:jwt-bearer
- SAML 2.0 Bearer
-
urn:ietf:params:oauth:grant-type:saml2-bearer
- Client-initiated backchannel authentication (CIBA) grant
-
urn:openid:params:grant-type:ciba
- Device authorization grant
-
urn:ietf:params:oauth:grant-type:device_code
- token exchange grant
urn:ietf:params:oauth:grant-type:token-exchange
- Validation grant
-
urn:pingidentity.com:oauth2:grant_type:validate_bearer