After you add or update an OIDC application, you need to integrate it with PingOne for Enterprise.
After adding an OIDC application, you need to integrate the application with PingOne for Enterprise, which will act as the OAuth provider (OP) for your application. Your application then needs to request authorization from the PingOne for Enterprise OAuth authorization endpoint when users attempt to single sign-on (SSO) to the application.
See the OpenID Connect Core 1.0 specification for reference when integrating the application.
PingOne for Enterprise returns OIDC user attributes in different
ways depending on the response_type
parameter.
The contents of the ID token depend on whether or not the application also returns an
access token (If the response_type
includes
token).
If an access token is returned, the application returns an ID token containing the
sub
and, if requested, email
scopes. The
userinfo endpoint contains all of the attributes for the requested scopes, as well
as an attributes configured on the User Info tab for the
application, if the openid
scope was requested.
If an access token is not returned, the ID token contains all of the attributes for
the requested scopes, as well as any attributes configured on the User
Info tab for the application, if the openid
scope
was requested. The userinfo endpoint is inaccessible in this case because no access
token is issued.
The access token contains attributes configured at
.For more information, see Configuring your OAuth settings.
The authorization request flow depends on the grant type you have selected for the application. The grant type can be Authorization code, Implicit, or a hybrid (both code and implicit).
For more information, see OIDC application grant types.
Code grant type
For any grant type, the application needs to send the authorization request to the
PingOne for Enterprise authorization endpoint returned by the
Discovery URL
(https://sso.connect.pingidentity.com/sso/as/authorization.oauth2
).
PingOne for Enterprise validates the redirect_uri parameter against the list of redirect URIs specified in the application's configuration. You can find these URIs in the Authentication Flow section on the application summary page. If the redirect_uri is valid, PingOne for Enterprise sends the response to the specified redirect URI.
If your application uses an authorization code grant type, PingOne for Enterprise uses the following process to complete the authorization request:
- The application sends an authorization request for a code grant type.
Here is an example of an authorization request URI:
https://sso.connect.pingidentity.com/sso/as/authorization.oauth2?client_id=5f65fdde-44e2-4d1c-be2b-41d5e0d6b903&response_type=code&redirect_uri=https://localhost&scope=openid
The following table describes the parameters that make up the authorization request URI.
Parameter Description client_id
Your client ID, assigned by PingOne for Enterprise. You can find this value on the Details tab.
scope
The user resources that can be accessed by the application. The openid scope is expected to be specified, either as the sole scope value or one of the scope values.
response_type
This must be code. An authorization code is then returned in the response.
code_challenge
This PKCE parameter is either plain text or a cryptographic hash of a random string. The random string or plain text must be a code_verifier value that you will include in the subsequent token request.
Note:Use PKCE only when you aren't using a client secret, including client_secret in the token request.
For more information, see OAuth 2.0 RFC 7636.
code_challenge_method
This PKCE parameter is required only when code_challenge is specified.
This can be either:
- plain When the code_challenge_method value is plain text
- S256 When the code_challenge_method value is an SHA-256 cryptographic hash
Note:When you subsequently include the code_verifier value in the token request, the code_challenge value and the code_verifier value must match.
For more information, see OAuth 2.0 RFC 7636 .
- The PingOne for Enterprise authorization endpoint returns the
authorization code to the application.The HTTPS response will be similar to this:
https://localhost/?code=I0YAW2EWll_V8xH4m6b7IJ3WWD1wNZ5BnvkCQw7gknp4z2gQkHCM66AHsbCLA7
- The application uses the authorization code returned in the response to request an
access token and ID token from the PingOne for Enterprise token
endpoint, https://sso.connect.pingidentity.com/sso/as/token.oauth2.
Here is an example request using cURL:
curl -k -X POST -H "Accept: application/json" -d 'client_id=cdd237bb-3404-4ad4-90eb-d2e2528xxxxx&client_secret=CpquMknCg9An9Up1Ys2mnVEdKkCDaxtJcJG4adFPBDnPU6SBp7VNGUhyTmaJXXmpR&grant_type=authorization_code&code=ID5d7d1770409374639980ce161952fda57b21db562ff8320b020000016543fxxxxx&redirect_uri=https://example.com\' https://sso.connect.pingidentity.com/sso/as/token.oauth2
Because the authorization request did not include PKCE parameters, the token request must use the client secret value assigned when the application was added to PingOne for Enterprise. You can find the assigned client secret in the Details tab.
- The application validates the id_token returned. For more information see the OpendID Connect Core 1.0 specifications.
- The application can also optionally validate the token or access token
returned.
Use the PingOne for Enterprise introspection endpoint returned by the Discovery URL
https://sso.connect.pingidentity.com/sso/as/introspect.oauth2
to validate the access token.For access tokens that are signed rather than encrypted, you can also use the JWKS URI returned by the Discovery URL
https://sso.connect.pingidentity.com/sso/as/jwks
.Note:You can see your access token settings at
.For more information, see Configuring your OAuth settings.
Implicit grant type
For any grant type, the application needs to send the authorization request to the
PingOne for Enterprise authorization endpoint returned by the
Discovery URL
(https://sso.connect.pingidentity.com/sso/as/authorization.oauth2
).
PingOne for Enterprise validates the redirect_uri parameter against the list of redirect URIs specified in the application's configuration. You can find these URIs in the Authentication Flow section on the application summary page. If the redirect_uri is valid, PingOne for Enterprise sends the response to the specified redirect URI.
If your application uses an authorization implicit grant type, PingOne for Enterprise uses the following process to complete the authorization request:
- The application sends an authorization request for an implicit grant type.
Here is an example of an authorization request URI:
https://sso.connect.pingidentity.com/sso/as/authorization.oauth2?client_id=5f65fdde-44e2-4d1c-be2b-41d5e0d6b903&response_type=token id_token&redirect_uri=https://localhost&scope=openid&nonce=123
The following table describes the parameters that make up the authorization request URI.
Parameter Description client_id
Your client ID, assigned by PingOne for Enterprise. You can find this value on the Details tab.
scope
The user resources that can be accessed by the application. The openid scope is expected to be specified, either as the sole scope value or one of the scope values.
Note:When openid is not specified and the response_type value indicates id_token, an id_token is not returned.
response_type
This can either be id_token, token (access token), or both. The token or tokens specified are returned in the response.
nonce
This is used to securely associate client_id with id_token.
For more information, see OpenID Connect Core 1.0 Nonce Implementation Notes.
- The PingOne for Enterprise authorization endpoint returns the
response_type value to the application.
If you included id_token and token in the authorization request, as in the example, an access token is returned with the id_token value in the response.
The HTTPS response will be similar to this:https://localhost/#access_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjdBOUMxMDA4REEzMzAwQTExMTYwQkQ1NUFEMUExOEFGQTQ3QzQ2QjEifQ.eyJhdHRydGVzdCI6Im1pbG8iLCJzdWIiOiJtaWxvIiwiaWRwaWQiOiIwYTI1ZTYwYS0xZGQ5LTRlZGMtYTg4ZS01OTJmNDUyYmEyYTQiLCJzY29wZSI6Im9wZW5pZCIsImlzcyI6Imh0dHBzOi8vc3NvLmNvbm5lY3QucGluZ2lkZW50aXR5LmNvbS81ZjY1ZmRkZS00NGUyLTRkMWMtYmUyYi00MWQ1ZTBkNmI5MDMiLCJncm91cHMiOlsiYWJjZGVmZzIxN0BkaXJlY3RvcnkiLCJhYmNkZWZnNTkzQGRpcmVjdG9yeSIsIlVzZXJzQGRpcmVjdG9yeSIsImFiY2RlZmc3ODJAZGlyZWN0b3J5IiwiYWJjZGVmZzUzNEBkaXJlY3RvcnkiLCJhYmNkZWZnNDc0QGRpcmVjdG9yeSIsImFiY2RlZmczMjNAZGlyZWN0b3J5IiwiYWJjZGVmZzI5MkBkaXJlY3RvcnkiLCJhYmNkZWZnMzUwQGRpcmVjdG9yeSIsImFiY2RlZmc5OTNAZGlyZWN0b3J5IiwiYWJjZGVmZzU0NkBkaXJlY3RvcnkiLCJhYmNkZWZnMjYxQGRpcmVjdG9yeSIsImFiY2RlZmcyODdAZGlyZWN0b3J5IiwiYWJjZGVmZzg3MUBkaXJlY3RvcnkiLCJhYmNkZWZnMzYzQGRpcmVjdG9yeSIsImFiY2RlZmc1NjlAZGlyZWN0b3J5IiwiYWJjZGVmZzg5MkBkaXJlY3RvcnkiLCJhYmNkZWZnMTc4QGRpcmVjdG9yeSIsImFiY2RlZmc0NjJAZGlyZWN0b3J5IiwiYWJjZGVmZzc0N0BkaXJlY3RvcnkiLCJhYmNkZWZnNzZAZGlyZWN0b3J5IiwiYWJjZGVmZzUxMkBkaXJlY3RvcnkiLCJhYmNkZWZnMjUzQGRpcmVjdG9yeSIsImFiY2RlZmczNUBkaXJlY3RvcnkiLCJhYmNkZWZnNDc2QGRpcmVjdG9yeSIsImFiY2RlZmc1MzZAZGlyZWN0b3J5IiwiYWJjZGVmZzg4M0BkaXJlY3RvcnkiLCJhYmNkZWZnMjI4QGRpcmVjdG9yeSIsImFiY2RlZmc5OTBAZGlyZWN0b3J5IiwiYWJjZGVmZzk0N0BkaXJlY3RvcnkiLCJhYmNkZWZnMzgyQGRpcmVjdG9yeSIsImFiY2RlZmc2OTNAZGlyZWN0b3J5IiwiYWJjZGVmZzY3OEBkaXJlY3RvcnkiLCJhYmNkZWZnMjI0QGRpcmVjdG9yeSIsImFiY2RlZmc5MjRAZGlyZWN0b3J5IiwiYWJjZGVmZzMxMEBkaXJlY3RvcnkiLCJhYmNkZWZnMzE2QGRpcmVjdG9yeSIsImFiY2RlZmc4NDZAZGlyZWN0b3J5IiwiYWJjZGVmZzk2MkBkaXJlY3RvcnkiLCJhYmNkZWZnMTg3QGRpcmVjdG9yeSIsImFiY2RlZmc2NjFAZGlyZWN0b3J5IiwiYWJjZGVmZzQ5M0BkaXJlY3RvcnkiLCJhYmNkZWZnODNAZGlyZWN0b3J5IiwiYWJjZGVmZzE3MkBkaXJlY3RvcnkiLCJhYmNkZWZnNzIyQGRpcmVjdG9yeSIsImFiY2RlZmcxNDBAZGlyZWN0b3J5IiwiYWJjZGVmZzM5NUBkaXJlY3RvcnkiLCJhYmNkZWZnNTU5QGRpcmVjdG9yeSIsImFiY2RlZmc5MkBkaXJlY3RvcnkiLCJhYmNkZWZnMTEzQGRpcmVjdG9yeSIsImFiY2RlZmc2OTFAZGlyZWN0b3J5IiwiYWJjZGVmZzgwNkBkaXJlY3RvcnkiLCJhYmNkZWZnNjk2QGRpcmVjdG9yeSIsImFiY2RlZmc5MDFAZGlyZWN0b3J5IiwiYWJjZGVmZzE1NkBkaXJlY3RvcnkiLCJhYmNkZWZnNTE2QGRpcmVjdG9yeSIsImFiY2RlZmc3ODVAZGlyZWN0b3J5IiwiYWJjZGVmZzEzM0BkaXJlY3RvcnkiLCJhYmNkZWZnNTQ4QGRpcmVjdG9yeSIsImFiY2RlZmcyODJAZGlyZWN0b3J5IiwiYWJjZGVmZzgyN0BkaXJlY3RvcnkiLCJhYmNkZWZnNTU2QGRpcmVjdG9yeSIsImFiY2RlZmc3ODlAZGlyZWN0b3J5IiwiYWJjZGVmZzkyOEBkaXJlY3RvcnkiLCJhYmNkZWZnNjk5QGRpcmVjdG9yeSIsImFiY2RlZmc0ODNAZGlyZWN0b3J5IiwiYWJjZGVmZzMzMUBkaXJlY3RvcnkiLCJhYmNkZWZnNTYxQGRpcmVjdG9yeSIsImFiY2RlZmc5NkBkaXJlY3RvcnkiLCJhYmNkZWZnNzRAZGlyZWN0b3J5IiwiYWJjZGVmZzk2OUBkaXJlY3RvcnkiLCJhYmNkZWZnOTgzQGRpcmVjdG9yeSIsImFiY2RlZmcxMjFAZGlyZWN0b3J5IiwiYWJjZGVmZzQ3M0BkaXJlY3RvcnkiLCJhYmNkZWZnMjY0QGRpcmVjdG9yeSIsImFiY2RlZmczNTJAZGlyZWN0b3J5IiwiYWJjZGVmZzEzOUBkaXJlY3RvcnkiLCJhYmNkZWZnMzdAZGlyZWN0b3J5IiwiYWJjZGVmZzQxNkBkaXJlY3RvcnkiLCJhYmNkZWZnOTU5QGRpcmVjdG9yeSIsImFiY2RlZmcxNjNAZGlyZWN0b3J5IiwiYWJjZGVmZzc1M0BkaXJlY3RvcnkiLCJhYmNkZWZnNjM3QGRpcmVjdG9yeSIsImFiY2RlZmcyMjlAZGlyZWN0b3J5IiwiYWJjZGVmZzI0MEBkaXJlY3RvcnkiLCJhYmNkZWZnODUwQGRpcmVjdG9yeSIsImFiY2RlZmc2MjNAZGlyZWN0b3J5IiwiYWJjZGVmZzM0NUBkaXJlY3RvcnkiLCJhYmNkZWZnNzM0QGRpcmVjdG9yeSIsImFiY2RlZmc4MzRAZGlyZWN0b3J5IiwiYWJjZGVmZzYyMEBkaXJlY3RvcnkiLCJhYmNkZWZnNzA4QGRpcmVjdG9yeSIsImFiY2RlZmcxODBAZGlyZWN0b3J5IiwiYWJjZGVmZzI0QGRpcmVjdG9yeSIsImFiY2RlZmcyMjJAZGlyZWN0b3J5IiwiYWJjZGVmZzQ4QGRpcmVjdG9yeSIsImFiY2RlZmc1NjRAZGlyZWN0b3J5IiwiYWJjZGVmZzUzOEBkaXJlY3RvcnkiLCJhYmNkZWZnNjI1QGRpcmVjdG9yeSIsImFiY2RlZmcyNThAZGlyZWN0b3J5IiwiYWJjZGVmZzI4MUBkaXJlY3RvcnkiLCJhYmNkZWZnNzY1QGRpcmVjdG9yeSIsImFiY2RlZmcxNjBAZGlyZWN0b3J5IiwiYWJjZGVmZzM0MkBkaXJlY3RvcnkiLCJhYmNkZWZnODg1QGRpcmVjdG9yeSIsImFiY2RlZmc0NjhAZGlyZWN0b3J5Il0sImV4cCI6MTY3OTQyMzg2NCwianRpIjoiSTBQVzU4T0p1clZiRzNBYUFJZ1l2c2Y4ZG5IZUJMN3J2LVJrbUlNa2w5MUZETmZHQnVCM1pSZ2FMQ1RRbWciLCJjbGllbnRfaWQiOiI1ZjY1ZmRkZS00NGUyLTRkMWMtYmUyYi00MWQ1ZTBkNmI5MDMifQ.ACzD2L1YMONzlV1OgpoVejFjbgg-4xBCiZ9mjwlFCRTe0oAykRnQkx52Y7rn-w7reDCUoF-7XjhQGYp4ttUiOFFHRjmAsVtFsLdcLSP3uCtsIU7-Hk45hZdNXkbdFg44GSRNQNegtJYI-YB0qv4_5rr-zVEJV_MR6ZRbUYre2lFiIMtj44CRCkeGA9_kajJY0rcumT9SlbFkNcz8axUSoYKK_D-Eh_pWY4-y54P1FLB0xQ-mwPl28K-DNcO3vxinlnh54X-Xt2Vn3qPBPHSf0wtvb-ko8lzw_dcZmWOjt-ZX8KOBbz3OgBMg2kbP6re0o2aB73gGxHyzwVsuUPhjUg&token_type=Bearer&id_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjdBOUMxMDA4REEzMzAwQTExMTYwQkQ1NUFEMUExOEFGQTQ3QzQ2QjEifQ.eyJhdF9oYXNoIjoiNkUySFpDZjcteHNNV0VmdXpwZDA4ZyIsInN1YiI6Im1pbG8iLCJhdWQiOiI1ZjY1ZmRkZS00NGUyLTRkMWMtYmUyYi00MWQ1ZTBkNmI5MDMiLCJhY3IiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZCIsImlkcGlkIjoiMGEyNWU2MGEtMWRkOS00ZWRjLWE4OGUtNTkyZjQ1MmJhMmE0IiwiYXV0aF90aW1lIjoxNjc5NDIzMTkzLCJpc3MiOiJodHRwczovL3Nzby5jb25uZWN0LnBpbmdpZGVudGl0eS5jb20vNWY2NWZkZGUtNDRlMi00ZDFjLWJlMmItNDFkNWUwZDZiOTAzIiwiZXhwIjoxNjc5NDIzNTY0LCJpYXQiOjE2Nzk0MjMyNjQsIm5vbmNlIjoiMTIzIiwiZW1haWwiOiJtY2FyYm9sK21pbG9AcGluZ2lkZW50aXR5LmNvbSJ9.TsL5pvTDf4dN67pAmFl2Wj2pXav_wMFSfW0T6zTaVRlOalkRbMM3X1l2niXEap8pd7aL8UB9uNTGpGraxErn5Y5quuMm9UhAtTPg0i3kKNPpB7aEx2givttdfvfzbDxap1lXo574u9AdrlCSrebb1pcMWGxiLSQ6tvCX5dpDJ1nfYME8J2kFzWMc856MW2USlDh04ZZuKS7OxaVDd2NP4TSuXihkccC8KKkmIe-4t25ibfPSmFM9K87HOPCzHcce_mbk5lOWZo7HpTgCcTN_kakOrCgJYFv3XWPZXsVi2ACWcYjcE4T23WOhUWU4a30kJ1hh32elLn_Td6OMad9u2w
- If an id_token was included in the authorization request, the
application validates the id_token returned.
For more information, see the OpendID Connect Core 1.0 specifications.
- The application can also optionally validate the token (access token)
returned.
Use the PingOne for Enterprise introspection endpoint returned by the Discovery URL
https://sso.connect.pingidentity.com/sso/as/introspect.oauth2
to validate the access token.For access tokens that are signed rather than encrypted, you can also use the JWKS URI returned by the Discovery URL
https://sso.connect.pingidentity.com/sso/as/jwks
.Note:You can see your access token settings at
.For more information, see Configuring your OAuth settings.
Hybrid grant type
For any grant type, the application needs to send the authorization request to the
PingOne for Enterprise authorization endpoint returned by the
Discovery URL
(https://sso.connect.pingidentity.com/sso/as/authorization.oauth2
).
PingOne for Enterprise validates the redirect_uri parameter against the list of redirect URIs specified in the application's configuration. You can find these URIs in the Authentication Flow section on the application summary page. If the redirect_uri is valid, PingOne for Enterprise sends the response to the specified redirect URI.
If your application uses both code and implicit grant types, PingOne for Enterprise uses the following process to complete the authorization request:
- Your applications sends an authorization request for a hybrid grant type. Here's an example of an authorization request URI:
https://sso.connect.pingidentity.com/sso/as/authorization.oauth2?client_id=5f65fdde-44e2-4d1c-be2b-41d5e0d6b903&response_type=code token id_token&redirect_uri=https://localhost&scope=openid&nonce=123
The following table describes the parameters contained in the authorization request URI.
Parameter Description client_id
Your client ID, assigned by PingOne for Enterprise. You can find this value on the Details tab.
scope
The user resources that can be accessed by the application. The openid scope is expected to be specified, either as the sole scope value or one of the scope values.
Note:When openid is not specified and the response_type value indicates id_token, an id_token is not returned.
response_type
This can be any or all of the following:
- code
- id_token (as in the above example)
- token (access token)
The specified tokens are returned in the response along with the authorization code.
nonce
Required when id_token is included in response_type. It is used to securely associate client_id with id_token.
For more information, see OpenID Connect Core 1.0 Nonce Implementation Notes .
code_challenge
This PKCE parameter is either plain text or a cryptographic hash of a random string. The random string or the plain text must be the code_verifier value that you will include in the subsequent token request.
Note:Use PKCE only when you aren't using a client secret, including client_secret in the token request.
code_challenge_method
This PKCE parameter is required only when code_challenge is specified. This can be either:
- plain When the code_challenge value is plain text.
- S256 When the code_challenge value is an SHA-256 cryptographic hash.
Note:When you subsequently include the code_verifier value in the token request, the code_challenge value and the code_verifier value must match.
- The PingOne for Enterprise authorization endpoint returns the
response_type value or values to the application. If you
included code, id_token, and
token in the authorization request, as in the example, an
authorization code, access_token, and
id_token are all returned in the response.
The HTTPS response will be similar to this (using the fragment response method):
https://localhost/#code=I09HefT4OVGqJl1r-HrycCWsIG-rTNBN4BC_P_AyGsw0bEeTdintMtGjWMBfxL&access_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjdBOUMxMDA4REEzMzAwQTExMTYwQkQ1NUFEMUExOEFGQTQ3QzQ2QjEifQ.eyJhdHRydGVzdCI6Im1pbG8iLCJzdWIiOiJtaWxvIiwiaWRwaWQiOiIwYTI1ZTYwYS0xZGQ5LTRlZGMtYTg4ZS01OTJmNDUyYmEyYTQiLCJzY29wZSI6Im9wZW5pZCIsImlzcyI6Imh0dHBzOi8vc3NvLmNvbm5lY3QucGluZ2lkZW50aXR5LmNvbS81ZjY1ZmRkZS00NGUyLTRkMWMtYmUyYi00MWQ1ZTBkNmI5MDMiLCJncm91cHMiOlsiYWJjZGVmZzIxN0BkaXJlY3RvcnkiLCJhYmNkZWZnNTkzQGRpcmVjdG9yeSIsIlVzZXJzQGRpcmVjdG9yeSIsImFiY2RlZmc3ODJAZGlyZWN0b3J5IiwiYWJjZGVmZzUzNEBkaXJlY3RvcnkiLCJhYmNkZWZnNDc0QGRpcmVjdG9yeSIsImFiY2RlZmczMjNAZGlyZWN0b3J5IiwiYWJjZGVmZzI5MkBkaXJlY3RvcnkiLCJhYmNkZWZnMzUwQGRpcmVjdG9yeSIsImFiY2RlZmc5OTNAZGlyZWN0b3J5IiwiYWJjZGVmZzU0NkBkaXJlY3RvcnkiLCJhYmNkZWZnMjYxQGRpcmVjdG9yeSIsImFiY2RlZmcyODdAZGlyZWN0b3J5IiwiYWJjZGVmZzg3MUBkaXJlY3RvcnkiLCJhYmNkZWZnMzYzQGRpcmVjdG9yeSIsImFiY2RlZmc1NjlAZGlyZWN0b3J5IiwiYWJjZGVmZzg5MkBkaXJlY3RvcnkiLCJhYmNkZWZnMTc4QGRpcmVjdG9yeSIsImFiY2RlZmc0NjJAZGlyZWN0b3J5IiwiYWJjZGVmZzc0N0BkaXJlY3RvcnkiLCJhYmNkZWZnNzZAZGlyZWN0b3J5IiwiYWJjZGVmZzUxMkBkaXJlY3RvcnkiLCJhYmNkZWZnMjUzQGRpcmVjdG9yeSIsImFiY2RlZmczNUBkaXJlY3RvcnkiLCJhYmNkZWZnNDc2QGRpcmVjdG9yeSIsImFiY2RlZmc1MzZAZGlyZWN0b3J5IiwiYWJjZGVmZzg4M0BkaXJlY3RvcnkiLCJhYmNkZWZnMjI4QGRpcmVjdG9yeSIsImFiY2RlZmc5OTBAZGlyZWN0b3J5IiwiYWJjZGVmZzk0N0BkaXJlY3RvcnkiLCJhYmNkZWZnMzgyQGRpcmVjdG9yeSIsImFiY2RlZmc2OTNAZGlyZWN0b3J5IiwiYWJjZGVmZzY3OEBkaXJlY3RvcnkiLCJhYmNkZWZnMjI0QGRpcmVjdG9yeSIsImFiY2RlZmc5MjRAZGlyZWN0b3J5IiwiYWJjZGVmZzMxMEBkaXJlY3RvcnkiLCJhYmNkZWZnMzE2QGRpcmVjdG9yeSIsImFiY2RlZmc4NDZAZGlyZWN0b3J5IiwiYWJjZGVmZzk2MkBkaXJlY3RvcnkiLCJhYmNkZWZnMTg3QGRpcmVjdG9yeSIsImFiY2RlZmc2NjFAZGlyZWN0b3J5IiwiYWJjZGVmZzQ5M0BkaXJlY3RvcnkiLCJhYmNkZWZnODNAZGlyZWN0b3J5IiwiYWJjZGVmZzE3MkBkaXJlY3RvcnkiLCJhYmNkZWZnNzIyQGRpcmVjdG9yeSIsImFiY2RlZmcxNDBAZGlyZWN0b3J5IiwiYWJjZGVmZzM5NUBkaXJlY3RvcnkiLCJhYmNkZWZnNTU5QGRpcmVjdG9yeSIsImFiY2RlZmc5MkBkaXJlY3RvcnkiLCJhYmNkZWZnMTEzQGRpcmVjdG9yeSIsImFiY2RlZmc2OTFAZGlyZWN0b3J5IiwiYWJjZGVmZzgwNkBkaXJlY3RvcnkiLCJhYmNkZWZnNjk2QGRpcmVjdG9yeSIsImFiY2RlZmc5MDFAZGlyZWN0b3J5IiwiYWJjZGVmZzE1NkBkaXJlY3RvcnkiLCJhYmNkZWZnNTE2QGRpcmVjdG9yeSIsImFiY2RlZmc3ODVAZGlyZWN0b3J5IiwiYWJjZGVmZzEzM0BkaXJlY3RvcnkiLCJhYmNkZWZnNTQ4QGRpcmVjdG9yeSIsImFiY2RlZmcyODJAZGlyZWN0b3J5IiwiYWJjZGVmZzgyN0BkaXJlY3RvcnkiLCJhYmNkZWZnNTU2QGRpcmVjdG9yeSIsImFiY2RlZmc3ODlAZGlyZWN0b3J5IiwiYWJjZGVmZzkyOEBkaXJlY3RvcnkiLCJhYmNkZWZnNjk5QGRpcmVjdG9yeSIsImFiY2RlZmc0ODNAZGlyZWN0b3J5IiwiYWJjZGVmZzMzMUBkaXJlY3RvcnkiLCJhYmNkZWZnNTYxQGRpcmVjdG9yeSIsImFiY2RlZmc5NkBkaXJlY3RvcnkiLCJhYmNkZWZnNzRAZGlyZWN0b3J5IiwiYWJjZGVmZzk2OUBkaXJlY3RvcnkiLCJhYmNkZWZnOTgzQGRpcmVjdG9yeSIsImFiY2RlZmcxMjFAZGlyZWN0b3J5IiwiYWJjZGVmZzQ3M0BkaXJlY3RvcnkiLCJhYmNkZWZnMjY0QGRpcmVjdG9yeSIsImFiY2RlZmczNTJAZGlyZWN0b3J5IiwiYWJjZGVmZzEzOUBkaXJlY3RvcnkiLCJhYmNkZWZnMzdAZGlyZWN0b3J5IiwiYWJjZGVmZzQxNkBkaXJlY3RvcnkiLCJhYmNkZWZnOTU5QGRpcmVjdG9yeSIsImFiY2RlZmcxNjNAZGlyZWN0b3J5IiwiYWJjZGVmZzc1M0BkaXJlY3RvcnkiLCJhYmNkZWZnNjM3QGRpcmVjdG9yeSIsImFiY2RlZmcyMjlAZGlyZWN0b3J5IiwiYWJjZGVmZzI0MEBkaXJlY3RvcnkiLCJhYmNkZWZnODUwQGRpcmVjdG9yeSIsImFiY2RlZmc2MjNAZGlyZWN0b3J5IiwiYWJjZGVmZzM0NUBkaXJlY3RvcnkiLCJhYmNkZWZnNzM0QGRpcmVjdG9yeSIsImFiY2RlZmc4MzRAZGlyZWN0b3J5IiwiYWJjZGVmZzYyMEBkaXJlY3RvcnkiLCJhYmNkZWZnNzA4QGRpcmVjdG9yeSIsImFiY2RlZmcxODBAZGlyZWN0b3J5IiwiYWJjZGVmZzI0QGRpcmVjdG9yeSIsImFiY2RlZmcyMjJAZGlyZWN0b3J5IiwiYWJjZGVmZzQ4QGRpcmVjdG9yeSIsImFiY2RlZmc1NjRAZGlyZWN0b3J5IiwiYWJjZGVmZzUzOEBkaXJlY3RvcnkiLCJhYmNkZWZnNjI1QGRpcmVjdG9yeSIsImFiY2RlZmcyNThAZGlyZWN0b3J5IiwiYWJjZGVmZzI4MUBkaXJlY3RvcnkiLCJhYmNkZWZnNzY1QGRpcmVjdG9yeSIsImFiY2RlZmcxNjBAZGlyZWN0b3J5IiwiYWJjZGVmZzM0MkBkaXJlY3RvcnkiLCJhYmNkZWZnODg1QGRpcmVjdG9yeSIsImFiY2RlZmc0NjhAZGlyZWN0b3J5Il0sImV4cCI6MTY3OTQyMzkyNywianRpIjoiSTBJaHVwSWNDNS00RW14dXJNMExWeFRDMXlmN19MaTNCbld2QVV5RnZCV2szbWhjXzVqVEFsSUc4cEt3WVAiLCJjbGllbnRfaWQiOiI1ZjY1ZmRkZS00NGUyLTRkMWMtYmUyYi00MWQ1ZTBkNmI5MDMifQ.VcjfY9-yeJ5_BeFvFzlxvriCvJNx6TsEuDK8kw-GVlcTcTWd3MN0cdVYY2XkmihNJzuZbJfzgG3-Ec22npOuyGbYkQQKGsUWJC9oHntAhl2VMPi4YwS7-as4pTRIsdk7-GZ6KgQ5ZXL9Rk9vJmsLpfghEtsYh6SX41-E_PA5LP9fG7BmfK7vnvtIfyVC28C6NAaWT5i-WSJImEcdCL79T9LMlfixUJrY7jfi1cJ7jlr9pPITFOd7eny9g0Q_W2jG2f5Jg8cmK8Pmpd6W1O2xuIKlcamwEP7hF3OkD16kR0v84BT0L2eSyJbeQUmNAOhsHbjza_IfnYawpLM9BgqFQA&token_type=Bearer&id_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjdBOUMxMDA4REEzMzAwQTExMTYwQkQ1NUFEMUExOEFGQTQ3QzQ2QjEifQ.eyJhdF9oYXNoIjoiQzlaWDBNR01SU0dFdVk4bENUUmt5ZyIsInN1YiI6Im1pbG8iLCJhdWQiOiI1ZjY1ZmRkZS00NGUyLTRkMWMtYmUyYi00MWQ1ZTBkNmI5MDMiLCJhY3IiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZCIsImNfaGFzaCI6ImNfaDlDdUxMREozNVRMZkhoeGxsYVEiLCJpZHBpZCI6IjBhMjVlNjBhLTFkZDktNGVkYy1hODhlLTU5MmY0NTJiYTJhNCIsImF1dGhfdGltZSI6MTY3OTQyMzE5MywiaXNzIjoiaHR0cHM6Ly9zc28uY29ubmVjdC5waW5naWRlbnRpdHkuY29tLzVmNjVmZGRlLTQ0ZTItNGQxYy1iZTJiLTQxZDVlMGQ2YjkwMyIsImV4cCI6MTY3OTQyMzYyNywiaWF0IjoxNjc5NDIzMzI3LCJub25jZSI6IjEyMyIsImVtYWlsIjoibWNhcmJvbCttaWxvQHBpbmdpZGVudGl0eS5jb20ifQ.WUMkEQblA5BYYkiIdEvn0-M8BhMNSF4fP5uZyhJRhHduEog-Fc7NMHySzhnhlEsRlC94isjteSJeu2Co_geDjlWt_7xJ-ir0XzExnWh-quCicsuh_uJvpVWr1jKtEt7e0OCnfudnUL6ZEW6_grw9oCrkRb-JU6mktdWWJ4XtMmKYgedqNJP5LJ5t8U4NMyIyj_WPxk20rMGHW1_15LVZ_3ZsYFFj9PH0Jl7hX-0NqYYi6RB0YAeVnJsPdsRvznVzFQ_yP30l80OMuJl_xZtoxqknhaDSg67znHKAGyyZNaBy_QxHausU_hh07NlEDKUuFfEei3CUX9TPMwk0qiSQ4Q
- If an id_token was included in the authorization request, the
application validates the id_token returned.
For more information, see the OpendID Connect Core 1.0 specifications.
- If a token (access token) was included in the authorization
request, the application can also optionally validate the access token
returned.
Use the PingOne for Enterprise introspection endpoint returned by the Discovery URL ,
https://sso.connect.pingidentity.com/sso/as/introspect.oauth2
, to validate the access token.For access tokens that are signed rather than encrypted, you can also use the JKWS URI returned by the Discovery URL,
https://sso.connect.pingidentity.com/sso/as/jwks
.Note:You can see your access token settings at
.For more information, see Configuring your OAuth settings.