The Ping Identity Data Governance Broker provides OAuth 2 and OpenID Connect services, which authorize clients for data access and allow clients to obtain an end user’s authentication state.
The OAuth 2 framework defines several methods by which a client may obtain authorization to access protected resources using an access token. The access token represents authorization granted by an end user to the client for a set of scopes. Scopes are simple string identifiers understood by both the authorization server and the resource server to represent units of access. For example, a scope called ‘contact_info’ could represent access to a user’s email address and phone number. The client may use the access token as a credential for accessing data on a resource server.
At a very high level, OAuth 2 authorization works like this: A client makes an authorization request for a specific set of scopes; the end user logs in (if not already logged in), then grants authorization by consenting to share the specific data represented by the requested scopes; and the Data Governance Broker (the authorization server) provides the client with an access token. The access token is time-limited and revocable, and for most request types, the user’s private credentials need never be exposed to the client.
OpenID Connect builds upon the OAuth 2 framework by adding an entity called an ID token, which represents an end user’s authentication state at the server. It also defines the UserInfo endpoint, used for obtaining read-only profile data about the authenticated user. A client makes an authentication request by making an OAuth 2 request including certain OpenID Connect-specific parameter values. As with an authorization request, the end user logs in (if not already logged in), then grants authorization; and the Data Governance Broker returns an ID token and (optionally) an access token to the client. In this way, the Data Governance Broker acts as a single sign-on server, handling user authentication on behalf of applications.