PingFederate access token validator
To verify the access tokens that a PingFederate authorization server issues, the PingFederate access token validator uses HTTP to submit the tokens to PingFederate Server’s token introspection endpoint.
This step allows the authorization server to determine whether a token is valid.
If you are using PingFederate 10.0 or earlier, ensure that PingFederate is configured to respond to OAuth and OpenID Connect (OIDC) requests by selecting the Enable OAuth 2.0 Authorization Server (AS) role and OpenID Connect check boxes, as explained in Enabling the OAuth AS role. Starting with PingFederate 10.1, these items are always enabled. |
Because this step requires an outgoing HTTP request to the authorization server, the PingFederate access token validator might perform slower than other access token validator types. The validation result is guaranteed to be current, which is an important consideration if the authorization server permits the revocation of access tokens.
Before attempting to use a PingFederate access token validator, create a client that represents the access token validator in the PingFederate configuration. This client must use the Access Token Validation grant type.
ExampleExample PingFederate access token validator configuration
In PingFederate, create a client with the following properties:
-
Client ID: PingAuthorize
-
Client authentication: Client Secret
-
Allowed grant types: Access Token Validation
Take note of the client secret that is generated for the client, and use PingAuthorize Server’s dsconfig
command to create an access token validator:
# Change the host name and port below, as needed dsconfig create-external-server \ --server-name "{pingfed} External Server" \ --type http \ --set base-url:https://example.com:9031 # Create the Access Token Validator dsconfig create-access-token-validator \ --validator-name "{pingfed} Access Token Validator" \ --type ping-federate \ --set enabled:true \ --set "authorization-server:{pingfed} External Server" \ --set client-id:{pingauthorize} \ --set "client-secret:<client secret>" --set evaluation-order-index:2000 # Match the token's subject (sub) claim to the uid attribute # of a SCIM resource dsconfig create-token-resource-lookup-method \ --validator-name "{pingfed} Access Token Validator" \ --method-name "User by uid" \ --type scim \ --set scim-resource-type:Users \ --set 'match-filter:uid eq "%sub%"' \ --set evaluation-order-index:1000
Replace <client secret> with the client secret value generated by the PingFederate client.