Token (device_code) (NONE)
POST {{authPath}}/{{envID}}/as/token
The token endpoint is used by the client to obtain an access token by presenting its authorization grant. Note that authentication requirements to this endpoint are configured by the application's tokenEndpointAuthMethod property. For device_codegrants, the application calls the POST /{{envID}}/as/token endpoint to acquire the access token. The grant_type property in the token request body uses the following syntax to identify the device code type: urn:ietf:params:oauth:grant-type:device_code.
For a device_code grant type in which the application's tokenEndpointAuthMethod is set to NONE, the request requires the client_id property value (the application ID) and does not require an Authorization header.
Note: In the PingOne admin UI, if the admin chooses the Device Authorization application type, the application is created with the grant type set to DEVICE_CODE and REFRESH_TOKEN, and the Token Endpoint Authentication Method set to NONE. These default application configuration options are based on RFC8628-5.6. Non-Confidential Clients. However, admins are free to select either the CLIENT_SECRET_BASIC or CLIENT_SECRET_POST Token Endpoint Authentication Method if needed, particularly when working with confidential clients. For more information about the token request, see Token.
To obtain a refresh token along with an access token, the client must be configured with the refresh_token grant type and the device_code grant type. With this configuration, a refresh token is generated along with the access token. When obtaining the original access token, a refresh token is included in the response, which is tied to the client and the user session. As long as the session exists and it is not expired (30 days since the last sign on), the /{{envID}}/as/token endpoint can be used to exchange the refresh token for a new access token and refresh token.
When a new refresh token is issued, the previous refresh token is rotated to prevent token abuse. Refresh token rotations do not extend the duration of the session.
A refresh token can be revoked using the /{{envID}}/as/revoke endpoint, which revokes the token without deleting the current user session. You can also revoke the token by deleting the user session. Session termination is supported only by the resource owner using the /{{envID}}/as/signoff endpoint or by disabling the user.
| Property | Type | Required? |
|---|---|---|
client_id | String | Required |
client_secret | String | Optional |
device_code | String | Required |
grant_type | String | Required |
See the Device authentication grant data model for full property descriptions.
Request Body
[{"name"=>"grant_type", "value"=>"urn:ietf:params:oauth:grant-type:device_code", "datatype"=>"string"}, {"name"=>"device_code", "value"=>"{{deviceCode}}", "datatype"=>"string"}, {"name"=>"client_id", "value"=>"{{deviceAppID}}", "datatype"=>"string"}]