Administrators can configure PingFederate to support the OAuth grant types that applications require.
- To configure the authorization server settings, go to Configuring authorization server settings. . For more information, see
- Define any number of optional common scopes and exclusive scopes, create scope groups from optional scopes as needed, and enter an optional description for the default scope in the window.
Create one or more access token management instances in the
You can also define the access token attribute contract for an access token management instance in this window.
Configure one or more entries to map attributes from authentication sources to the
- Authorization Code or Implicit
- Map attributes from an identity provider (IdP) adapter instance to the persistent grants in .
- Map attributes from an IdP connection to the persistent grants in .
- Create an authentication policy contract (APC) using the
Policy Contracts window, define an
authentication policy to map attributes from the authentication
sources (IdP adapter instances, IdP connections, or both) to the APC,
and map attributes from the APC to the persistent grants using the
Authentication Policy Contract Grant Mapping
If you are using a combination of authentication policies, APCs, and APC mappings, you can skip the IdP Adapter Grant Mapping and OAuth Attribute Mapping configurations.
- Resource Owner Password Credentials
- Map attributes from a password credential validator instance to the persistent grants using the configuration wizard.
This is the first stage of the two-stage access token mapping process through the persistent grants.
Configure one or more entries to map attributes from the persistent grants (or the
authentication sources directly) to the attribute contract of your access token
management instances in the
window. Additionally, you can configure a mapping for clients using
the client credential grant type.Note:
This is the second stage of the two-stage access token mapping process through the persistent grants. For more information about the access token mapping process, see Mapping OAuth attributes.
- For the client-initiated backchannel authentication (CIBA) flow, configure one or more CIBA authenticator instances and then one or more CIBA request policies.
For the JSON web token (JWT) Bearer or SAML 2.0 Bear assertion grants flow,
configure a mapping in
This use case exchanges a JWT or a SAML assertion for an OAuth access token.
- Define one or more OpenID Connect policies using the window if you support OpenID Connect use cases.
- Go to Client window. and create one or more OAuth clients in the
- Optional: Configure client settings and registration policies for dynamic client registration.
- Optional: Configure client session management settings.