The OAuth settings enable you to configure the access token and any refresh tokens issued for your OpenID Connect (OIDC) applications when requesting user authorization.
PingOne for Enterprise supports OAuth authorization code, refresh
token, implicit and hybrid (both code and implicit) grant types. PingOne for Enterprise issues an OAuth access token for an application
only when token
is one of the response_type
values specified in the application's authorization request.
When PingOne for Enterprise issues an access token, it contains attributes required by the OIDC specification and any other attributes you assign for the OAuth attributes contract.
As part of the authorization request, PingOne for Enterprise requires the scopes (permissable user resources) you assign when authorizing users.
You can also specify attribute mappings (OAuth claims to identity repository attributes) both at the account level and at the application level. The account-level settings can be overridden when you configure the attribute mapping at the application level (when you are adding the OIDC application).
For implicit grant types, PingOne for Enterprise issues an OAuth access token specifying the attribute contracts that your OIDC applications use to request user authorization. The OAuth access token settings govern how the access token is issued, such as whether it's signed or encrypted. The issued access token is used in your application's authorization requests to PingOne for Enterprise.
Additionally, all authorization request include the user scopes (permissable user resources) you assign here. The scopes are granted after the user is authenticated. You can also specify any attribute mappings that you want to be inherited by OIDC applications. Optionally, you can assign trusted origins for Cross-Origin Resource Sharing (CORS).
For managed accounts, the OAuth settings apply only to your managed applications, not to applications supplied by a service provider (SP).