OAuth2 Developers Guide
OAuth2 Developers Guide
2.0
Developers
Guide
Ping
Identity,
Inc.
1001
17th
Street,
Suite
100,
Denver,
CO
80202
303.468.2900
OAuth
2.0
Developers
Guide
Table of Contents
Contents
TABLE OF CONTENTS ............................................................................................................................ 2
ABOUT THIS DOCUMENT ............................................................................................................................ 3
GETTING STARTED ................................................................................................................................. 4
1
OVERVIEW .......................................................................................................................................... 5
1.1
OAUTH 2.0 OVERVIEW ..................................................................................................................... 5
1.2
DEVELOPER CONSIDERATIONS ......................................................................................................... 5
1.2.1
Application Developer ............................................................................................................... 5
1.2.2
API Developer ........................................................................................................................... 6
APPLICATION DEVELOPER CONSIDERATIONS ............................................................................ 7
2
GET A TOKEN ..................................................................................................................................... 8
2.1
OAUTH 2.0 GRANT TYPES ................................................................................................................ 8
2.2
AUTHORIZATION CODE GRANT ........................................................................................................ 9
2.2.1
Client Configuration................................................................................................................ 10
2.2.2
Request authorization from user and retrieve authorization code .......................................... 10
2.2.3
Swap the authorization code for an access token.................................................................... 11
2.3
IMPLICIT GRANT ............................................................................................................................. 13
2.3.1
Client Configuration................................................................................................................ 14
2.3.2
Request authorization from user and retrieve access token .................................................... 14
2.4
RESOURCE OWNER PASSWORD CREDENTIALS (ROPC) ................................................................ 16
2.4.1
Client Configuration................................................................................................................ 16
2.4.2
Request user authentication and retrieve access token ........................................................... 17
2.5
CLIENT CREDENTIALS .................................................................................................................... 19
2.5.1
Client Configuration................................................................................................................ 19
2.5.2
Request access token ............................................................................................................... 20
2.6
EXTENSION GRANTS (I.E. SAML BEARER)..................................................................................... 21
2.6.1
Client Configuration................................................................................................................ 21
2.6.2
Request access token ............................................................................................................... 22
3
REFRESH A TOKEN ......................................................................................................................... 24
4
USE A TOKEN .................................................................................................................................... 26
API DEVELOPER CONSIDERATIONS ............................................................................................... 27
5
VALIDATE A TOKEN ....................................................................................................................... 28
5.1.1
Client Configuration................................................................................................................ 28
6
REFERENCES .................................................................................................................................... 31
2
OAuth
2.0
Developers
Guide
The
samples
described
in
this
document
use
the
OAuth2
Playground
sample
application
available
for
download
from
the
products
page
on
pingidentity.com.
Note:
This
document
explains
a
number
of
manual
processes
to
request
and
validate
the
OAuth
tokens.
While
the
interactions
are
simple,
PingFederate
is
compatible
with
many
3rd
party
OAuth
client
libraries
that
may
simplify
development
effort.
3
OAuth
2.0
Developers
Guide
Getting
Started
4
OAuth
2.0
Developers
Guide
1 Overview
Protected API
Resource Server
Client
The
OAuth
2.0
protocol
uses
a
number
of
actors
to
achieve
the
main
tasks
of
getting,
validating,
and
using
an
access
token.
These
will
be
described,
as
well
as
optional
steps
of
refreshing
this
access
token.
The
main
actors
involved
are:
Actor
Responsibility
User
or
Resource
Owner
The
actual
end
user,
responsible
for
authentication
and
to
provide
consent
to
share
their
resources
with
the
requesting
client.
User
Agent
The
users
browser.
Used
for
redirect-based
flows
where
the
user
must
authenticate
and
optionally
provide
consent
to
share
their
resources.
Client
The
client
application
that
is
requesting
an
access
token
on
behalf
of
the
end
user.
Authorization
Server
(AS)
The
PingFederate
server
that
authenticates
the
user
and/or
client,
issues
access
tokens
and
tracks
the
access
tokens
throughout
their
lifetime.
Resource
Server
(RS)
The
target
application
or
API
that
provides
the
requested
resources.
This
actor
will
validate
an
access
token
to
provide
authorization
for
the
action.
5
OAuth
2.0
Developers
Guide
There
are
three
main
actions
an
application
developer
needs
to
handle
to
implement
OAuth
2.0:
1. Get
an
access
token
2. Use
an
access
token
3. Refresh
an
access
token
(optional)
Note:
In
some
cases
the
API
Developer
may
be
using
a
service
bus
or
authorization
gateway
to
manage
access
to
APIs,
and
therefore
the
task
of
validating
the
access
token
would
be
shifted
to
this
infrastructure.
6
OAuth
2.0
Developers
Guide
7
OAuth
2.0
Developers
Guide
2 Get
a
token
This
section
will
explain
how
to
get
an
OAuth2
access
token
(and
optionally
a
refresh
token)
from
the
PingFederate
infrastructure.
8
OAuth
2.0
Developers
Guide
Authorization Server
User
2
Protected API
Resource Server
Client
Capability
Browser-based
end
user
interaction
Yes
Can
use
external
IDP
for
authentication
Yes
Requires
client
authentication
No*
Requires
client
to
have
knowledge
of
user
credentials
No
Refresh
token
allowed
Yes
Access
token
is
in
context
of
end
user
Yes
Note:
Although
the
authorization
code
grant
type
does
not
require
a
client
secret
value,
there
are
security
implications
to
exchanging
a
code
for
an
access
token
without
client
authentication.
9
OAuth
2.0
Developers
Guide
10
OAuth
2.0
Developers
Guide
sample://oauth2/code/cb?code=XYZ123
Note:
If
the
authorization
request
also
included
a
state
value,
this
will
also
be
included
on
this
callback.
Note:
An
error
condition
from
the
authentication
/
authorization
process
will
be
returned
to
this
callback
URI
with
error
and
error_description
parameters.
The
client
will
then
extract
the
code
value
from
the
response
and,
optionally,
verify
that
the
state
value
matches
the
value
provided
in
the
authorization
request.
11
OAuth
2.0
Developers
Guide
HTTP
Response
HTTP/1.1 200 OK
Headers
Content-Type: application/json;charset=UTF-8
Body
{
"access_token":"zzzyyy",
"token_type":"Bearer",
"expires_in":14400,
"refresh_token":"123789"
}
The
application
can
now
parse
the
access
token
and,
if
present,
the
refresh
token
to
use
for
authorization
to
resources.
If
a
refresh
token
was
returned,
it
can
be
used
to
refresh
access
token
once
it
expires.
12
OAuth
2.0
Developers
Guide
Authorization Server
User
2
Protected API
Resource Server
Client
This
grant
type
is
suitable
for
clients
that
are
unable
to
keep
a
secret
(i.e.
client-side
applications
like
JavaScript).
The
client
is
mapped
to
the
authorization
server
via
the
redirect_uri,
as
there
is
no
client
secret
to
authenticate
the
client,
the
access
token
will
be
sent
to
a
specific
URL
pre-negotiated
between
the
client
and
the
authorization
server.
As
the
access
token
is
provided
to
the
client
in
the
request
URI,
it
is
inherently
less
secure
than
the
authorization
code
grant
type.
For
this
reason,
an
implicit
grant
type
cannot
take
advantage
of
refresh
tokens.
Only
access
tokens
can
be
provided
via
this
grant
type.
13
OAuth
2.0
Developers
Guide
Capability
Browser-based
end
user
interaction
Yes
Can
use
external
IDP
for
authentication
Yes
Requires
client
authentication
No
Requires
client
to
have
knowledge
of
user
credentials
No
Refresh
token
allowed
No
Access
token
is
in
context
of
end
user
Yes
14
OAuth
2.0
Developers
Guide
This
will
initiate
an
authentication
process
using
the
browser
(user
agent).
Once
the
user
has
authenticated
and
approved
the
authorization
request,
they
will
be
redirected
to
the
configured
URI
with
the
access
token
included
as
a
fragment
of
the
URL.
A
refresh
token
will
NOT
be
returned
to
the
client:
sample://oauth2/implicit/cb#
access_token=zzz...yyy&
token_type=bearer&
expires_in=14400
Note:
For
mobile
scenarios,
the
redirect_uri
may
be
a
custom
URL
scheme,
which
will
cause
the
access
token
to
be
returned
to
the
native
application.
Note:
The
implicit
response
is
returned
via
a
URL
fragment.
The
fragment
is
only
visible
from
client-side
code.
Therefore
if
you
need
to
parse
the
values
from
server-side
code,
you
must
post
the
values
to
the
server
for
parsing.
The
application
can
now
parse
the
access
token
from
the
URL
fragment
to
use
for
authorization
to
APIs.
15
OAuth
2.0
Developers
Guide
Authorization Server
User
1
Protected API
Resource Server
Client
Capability
Browser-based
end
user
interaction
No
Can
use
external
IDP
for
authentication
No
Requires
client
authentication
No
Requires
client
to
have
knowledge
of
user
credentials
Yes
Refresh
token
allowed
Yes
Access
token
is
in
context
of
end
user
Yes
16
OAuth
2.0
Developers
Guide
17
OAuth
2.0
Developers
Guide
HTTP
Response
HTTP/1.1 200 OK
Headers
Content-Type: application/json;charset=UTF-8
Body
{
"access_token":"zzzyyy",
"token_type":"Bearer",
"expires_in":14400,
"refresh_token":"123789"
}
Note:
An
error
condition
from
the
authentication
/
authorization
process
will
be
returned
to
this
callback
URI
with
error
and
error_description
parameters.
The
application
can
now
parse
the
access
token
and,
if
present,
the
refresh
token
to
use
for
authorization
to
resources.
If
a
refresh
token
was
returned,
it
can
be
used
to
refresh
the
access
token
once
it
expires.
18
OAuth
2.0
Developers
Guide
Authorization Server
User
Protected API
Resource Server
Client
Capability
Browser-based
end
user
interaction
No
Can
use
external
IDP
for
authentication
No
Requires
client
authentication
Yes
Requires
client
to
have
knowledge
of
user
credentials
No
Refresh
token
allowed
No
Access
token
is
in
context
of
end
user
No
19
OAuth
2.0
Developers
Guide
Body
{
"access_token":"zzzyyy",
"token_type":"Bearer",
"expires_in":14400,
}
20
OAuth
2.0
Developers
Guide
Authorization Server
User
1
Protected API
Resource Server
Client
Capability
Browser-based
end
user
interaction
No*1
Can
use
external
IDP
for
authentication
Yes*2
Requires
client
authentication
No
Requires
client
to
have
knowledge
of
user
credentials
No
Refresh
token
allowed
No
Access
token
is
in
context
of
end
user
Maybe*3
*1
Although
the
grant
type
doesnt
allow
for
user
interaction,
the
process
to
generate
the
SAML
assertion
used
in
this
flow
can
involve
user
interaction.
*2
As
long
as
the
PingFederate
AS
is
able
to
verify
the
SAML
assertion,
this
assertion
can
be
generated
from
a
foreign
STS.
*3
Access
token
will
be
in
the
context
of
the
subject
of
the
SAML
assertion,
which
may
be
an
end-user
a
service
or
the
client
itself.
21
OAuth
2.0
Developers
Guide
22
OAuth
2.0
Developers
Guide
HTTP
Response
HTTP/1.1 200 OK
Headers
Content-Type: application/json;charset=UTF-8
Body
{
"access_token":"zzzyyy",
"token_type":"Bearer",
"expires_in":14400,
}
23
OAuth
2.0
Developers
Guide
3 Refresh
a
token
If
a
refresh
token
was
requested
along
with
the
access
token,
then
the
refresh
token
can
be
used
to
request
a
new
access
token
without
having
to
ask
the
user
to
re-authenticate.
If
the
refresh
token
is
still
valid,
then
a
new
access
token
and
refresh
token
will
be
returned
to
the
client.
If
the
refresh
token
has
been
invalidated
for
any
reason,
then
the
client
must
require
the
user
to
re-
authenticate
to
retrieve
a
new
access
token.
The
reasons
for
refresh
tokens
becoming
invalid
are:
Refresh
token
has
expired;
Refresh
token
has
been
administratively
revoked
(separation
/
security
reasons);
User
has
explicitly
revoked
the
refresh
token
To
refresh
a
token,
the
access
token
must
have
been
requested
with
a
grant
type
that
supports
refresh
tokens
(authorization
code
or
resource
owner
password
credentials).
A
request
will
then
be
made
to
the
token
endpoint
with
the
grant_type
parameter
set
to
refresh_token.
Note:
A
new
access
token
can
be
requested
with
a
scope
of
equal
or
lesser
value
than
the
original
access
token
request.
Refreshing
an
access
token
with
additional
scopes
will
return
an
error.
If
the
scope
parameter
is
omitted,
then
access
token
will
be
valid
for
the
original
request
scope.
For
this
example,
the
authorization
code
client
from
above
will
be
used
to
refresh
the
token
Admin
Label
OAuth2
Parameter
Example
Value
Client
ID
client_id
ac_client
Client
Authentication
client_password
2Federate
Allowed
Grant
Types
response_type
Authorization
Code
grant_type
response_type
of
code
grant_type
of
authorization_code
Refresh
Token
Redirect
URIs
redirect_uri
sample://oauth2/code/cb
Scope
Settings
(in
AS
scope
edit
settings)
/
Restrict
Scopes
Refresh
Token
refresh_token
123...789
The
following
request
is
made
by
the
client:
24
OAuth
2.0
Developers
Guide
HTTP
Request
POST https://localhost:9031/as/token.oauth2 HTTP/1.1
Headers
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YWNfY2xpZW50OjJGZWRlcmF0ZQ==
Body
grant_type=refresh_token&refresh_token=123789
Note:
A
token
can
only
be
refreshed
with
the
same
or
a
lesser
scope
than
the
original
token
issued.
If
the
token
is
being
refreshed
with
the
same
scope
as
the
original
request,
the
scope
parameter
can
be
omitted.
If
a
greater
scope
is
required,
the
client
must
re-
authenticate
the
user.
A
successful
response
to
this
message
will
result
in
a
200
OK
HTTP
response
and
the
following
JSON
structure
in
the
body
of
the
response:
HTTP
Response
HTTP/1.1 200 OK
Headers
Content-Type: application/json;charset=UTF-8
Body
{
"access_token":"aaaccc",
"token_type":"Bearer",
"expires_in":14400,
"refresh_token":"456321"
}
Note:
Depending
on
the
PingFederate
configuration,
the
client
could
be
configured
to
roll
the
refresh
token
returned
from
a
refresh
token
request.
i.e.
a
new
refresh
token
is
returned
and
the
original
refresh
token
is
invalidated.
25
OAuth
2.0
Developers
Guide
2
Authorization Server
User 1
Protected API
Resource Server
Client
For
example,
to
enact
a
GET
request
on
a
REST
web
service,
given
an
access
token
AAA...ZZZ,
the
client
makes
the
following
HTTP
request:
HTTP
Request
GET https://api.company.com/user HTTP/1.1
Headers
Authorization: Bearer AAA...ZZZ
Body
<N/A>
This
will
provide
the
access
token
to
the
resource
server,
which
can
then
validate
the
token,
verify
the
scope
or
the
request,
the
identity
of
the
resource
owner
and
the
client
and
perform
the
appropriate
action
if
authorized.
26
OAuth
2.0
Developers
Guide
27
OAuth
2.0
Developers
Guide
5 Validate
a
token
For
an
API
developer
to
integrate
with
OAuth
2.0,
the
resource
must
accept
and
validate
the
OAuth
2.0
access
token
(step
1
below).
Once
the
token
has
been
received,
the
resource
can
then
validate
the
access
token
against
the
PingFederate
authorization
server
(step
2).
The
response
from
the
access
token
validation
will
include
attributes
that
the
resource
can
use
for
authorization
decisions.
2
Authorization Server
User 1
Protected API
Resource Server
Client
Note:
This
section
will
demonstrate
the
manual
method
of
validating
an
access
token
through
code.
This
effort
could
also
be
handled
by
an
API
gateway
/
service
bus
architecture.
Note:
The
OAuth
2.0
specifications
do
not
define
a
standard
mechanism
for
access
token
validation.
The
process
described
in
this
section
is
specific
to
a
PingFederate
implementation.
28
OAuth
2.0
Developers
Guide
The
API
first
needs
to
receive
the
access
token
from
the
client;
this
process
will
involve
parsing
the
token
via
a
process
defined
in
RFC6750.
See
section
4
Use
an
access
token
above.
A
request
from
a
client
would
look
similar
to
the
following:
HTTP
Request
GET https://api.company.com/user HTTP/1.1
Headers
Authorization: Bearer AAA...ZZZ
Body
<N/A>
In
order
to
fulfill
the
request,
the
API
first
extracts
the
access
token
from
the
authorization
header,
then
queries
the
token
endpoint
of
the
PingFederate
AS
to
validate
the
token:
HTTP
Request
POST https://localhost:9031/as/token.oauth2 HTTP/1.1
Headers
Content-Type: application/x-www-form-urlencoded
Authorization: Basic cnNfY2xpZW50OjJGZWRlcmF0ZQ==
Body
grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&token=AAA..
.ZZZ
A
successful
response
to
this
message
will
result
in
a
200
OK
HTTP
response
and
a
JSON
structure
in
the
body
of
the
response
similar
to
the
following:
HTTP
Response
HTTP/1.1 200 OK
Headers
Content-Type: application/json;charset=UTF-8
Body
{
"access_token": { "role":all_access },
"token_type":"Bearer",
"expires_in":14400,
"scope":"edit",
"client_id":"ac_client"
}
29
OAuth
2.0
Developers
Guide
The
resource
server
can
then
use
this
information
to
make
an
authorization
decision
and
allow
or
deny
the
web
request.
30
OAuth
2.0
Developers
Guide
6 References
OAuth2
specifications
&
information
http://oauth.net/2
PingFederate
Admin
Guide
http://documentation.pingidentity.com/display/LP/Product+Documentation
Ping
Identity
Products
and
Downloads
https://www.pingidentity.com/support-and-downloads/
31