OAuth 2 and OpenID Connect (OIDC) define the authorization grant types by which a client application obtains an authorization grant in the form of an access token.
PingOne supports the following grant types:
- Authorization code
- This grant type is used by web applications. The authorization request generates an authorization code that is exchanged for an access token. An authorization code expires after 10 minutes.
- Implicit
- This grant type is intended for use by mobile applications or client-side web applications with no server-side component. The implicit grant type is for applications that cannot guarantee the confidentiality of the client secret.
- Client credentials
- This grant type is made directly to the token endpoint and is used to request an
access token for either:
- Resources owned by the application rather than a user.
- Resources belonging to multiple end users.
- Device authorization
- This grant type allows a user to grant authorization to the device client using a browser on a second device, such as a smartphone or computer. The device authorization grant type is typically used to access a protected resource through a device that lacks a browser or has limited user input capabilities, such as a smart TV or appliance.
- Refresh token
- This grant type is used by applications to exchange a refresh token for an expired access token. It gives applications the ability to acquire a valid access token without additional user interaction. To obtain a refresh token along with an access token, the client must be configured with the refresh_token grant type and either the authorization_code grant type or the device_authorization grant type.