The PingOne Authentication API provides services to query the authorization server, run authentication workflows, and receive access tokens from the authorization server. An authentication workflow can include local authentication actions (login), multi-factor authentication actions, and other external actions. The Authentication API includes the flow orchestration and action services needed to configure an authentication workflow.
The authorization service allows a resource owner (you) to share protected resources with a client (an application) without giving the application your password (or access to all your stuff). Instead, the resource owner interacts with an *authorization server (PingOne) that verifies your credentials and issues an access token to the client. The client uses the token to access only the protected resources stored on a resource server (your stuff) that you’ve granted, as specified by the scopes (permissions) defined in the token.
The flow service provides the authentication actions to complete the checks needed to confirm that it’s you. For example, if the authentication flow requires a username/password check (a login action) and a one-time passcode check (an MFA action), then both actions must be completed successfully before the authorization server can issue an access token.
A typical flow starts with a request to the PingOne authorization server. The authorization server returns a flow ID that initiates the authentication flow. After the flow service completes, the session is passed back to the authorization service to generate the access token. The diagram below shows the steps.
In the authorization and authentication API sample requests shown in this document, the {{authPath}} variable in the sample requests represents the regional domain for the PingOne authorization and authentication services. See PingOne API domains for more information.
The PingOne Authentication API includes the following entities.
The PingOne authorization server (as) service configures the authorization grants that are used to authenticate users and provide access to resources. This service includes the following entities:
authorize
Queries PingOne (or an external resource owner) to get an authorization grant.
resume
Continues the processing of an authorization request after the completion of an authentication flow.
userinfo
Returns claims about the authenticated user resource.
token
Obtains an access token by presenting its authorization grant.
jwks
The JSON Web Key (jwks) is a JSON representation of the cryptographic key.
.well-known/openid-configuration
The discovery endpoint, used in multi-tenant configurations to support multiple issuers per host.
signoff
The end session endpoint called by the flow orchestration service to initiate the logout flow.
For more information, see OpenID Connect/OAuth 2 and Application authorization and authentication.
The PingOne flow orchestration service configures the steps required to authenticate the application or user that initiated the authentication request. The service is responsible for initiating the authentication session and making calls to specific actions required by the authentication workflow.
For more information, see Flows and PingOne flow states.
OpenID Connect is an authentication protocol that PingOne connected applications can use to authenticate users and get user data through claims. PingOne can also act as an OAuth 2 authorization server to authorize clients to access protected resources using access tokens. For example, PingOne uses OAuth 2 to protect access to PingOne management APIs.
The OAuth 2 framework defines several methods by which a client can obtain authorization to access protected resources using an access token. The access token represents authorization granted to the client for a set of scopes. Scopes are string identifiers understood by both the authorization server and the resource server to represent the specific boundaries of access. The client can use the access token as a credential for accessing data on a resource server.
For more information about access tokens, see Access tokens.
The SAML service provides support for the SAML protocol to authorize clients and allow clients to obtain a requestor’s authentication state. The SAML service implements functions to initiate SAML 2.0 single sign-on and single logout authentication flows.
For more information, see SAML 2.0.