Resource scopes

The PingOne platform includes two predefined resources, PingOne API, which is a defined resource that represents the PingOne APIs, and Open ID Connect, which represents OIDC scopes.

You can use PingOne to define custom resources and their associated scopes. Custom resources can be associated with an application either exclusively or in addition to the platform’s predefined resources.

When an application is associated with both the PingOne resource and a custom resource, an authorization request can’t include scopes from both PingOne and the custom resource.

Learn more about getting unique access tokens for each API resource in OAuth access token usage strategies for multiple resources in the Ping Identity Blog.

You can enable an OIDC-based application to request scopes from multiple resources in a single request. Learn more about the Request scopes to access multiple resources option in Editing an application - OIDC.

OIDC scopes

OIDC scopes are used by an application during authentication to authorize access to user details, like name and email address. Scopes are a collection of claims. Each scope returns a set of user attributes, called claims.

You can define custom attributes for OIDC resources and change the way they’re delivered to the application: ID token, UserInfo endpoint, or both.

Changes made to the Open ID resource define the global configuration, which are inherited by applications. Applications can override the inherited global attributes with custom attributes. Learn more in Customizing OIDC attributes for an application.