---
title: Configuring the resource server
description: PingCentral supports OAuth resource server functionality by validating provided bearer tokens when accessing the Admin API. Only signed JSON Web Token (JWT) tokens are supported in this release, so a JSON Web Key Set (JWKS) endpoint is required to obtain the public keys for signature validation.
component: pingcentral
version: 2.2
page_id: pingcentral:pingcentral_for_iam_administrators:pingcentral_conf_resource_server
canonical_url: https://docs.pingidentity.com/pingcentral/2.2/pingcentral_for_iam_administrators/pingcentral_conf_resource_server.html
revdate: August 15, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
---

# Configuring the resource server

PingCentral supports OAuth *(tooltip: \<div class="paragraph">
\<p>A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\</p>
\</div>)* resource server functionality by validating provided bearer tokens when accessing the Admin API. Only signed JSON Web Token (JWT) *(tooltip: \<div class="paragraph">
\<p>An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. You can find the industry standard in \<a href="https\://datatracker.ietf.org/doc/html/rfc7519">RFC 7519\</a>.\</p>
\</div>)* tokens are supported in this release, so a JSON Web Key Set (JWKS) endpoint is required to obtain the public keys for signature validation.

## About this task

If you are using PingFederate 10.1 or later, you can enable the centralized signing key functionality. Additional configuration isn't required in PingCentral to access the centralized JWKS endpoint.

If the access token manager has been configured with an explicit JWKS endpoint path, you must also specify this path in PingCentral.

|   |                                                                                                            |
| - | ---------------------------------------------------------------------------------------------------------- |
|   | In PingFederate, this endpoint is exposed as https\://*\<pf\_host>*:*\<port>*/ext/*\<JWKS Endpoint Path>*. |

## Steps

1. To provide the JWKS endpoint to PingCentral, open the `<PingCentral_install>/conf/application.properties` file, uncomment the `pingcentral.sso.oidc.oauth-jwk-set-uri`property, and define the JWKS endpoint URI, as in this example.

   ### Example:

   ```
   pingcentral.sso.oidc.oauth-jwk-set-uri=https://sso.<mycompany.com>:9031/ext/oauth/pingcentral/jwks
   ```

2. Configure the `username-claim` that PingCentral will use with bearer tokens.

   ```
   pingcentral.sso.oidc.oauth-username-claim-name=UserId
   ```

   With bearer tokens, PingCentral looks for the Username claim by default.

   |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
   | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | While the subject (sub) claim is mandatory with OpenID Connect (OIDC) *(tooltip: \<div class="paragraph">&#xA;\<p>An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\</p>&#xA;\</div>)*, it's not required when using OAuth 2. |

3. Configure PingCentral to validate the access token issuer and audience claim values defined in the access token manager.

   By default, these claims aren't validated. Validation for either or both is enabled by setting the following properties:

   * `pingcentral.sso.oidc.oauth-iss-claim-value=<myissuer>`

   * `pingcentral.sso.oidc.oauth-aud-claim-value=<myaudience>`

4. Make sure that the values specified match those defined in the access token manager.

   |   |                                                  |
   | - | ------------------------------------------------ |
   |   | If the values don't match, the validation fails. |

   |   |                                                                                                                                                     |
   | - | --------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | If a blank value is defined in PingFederate, the claim won't be present in the token, so do not enable the validation of that claim in PingCentral. |

5. Now that the resource server is configured, [configure the OpenID provider](pingcentral_conf_openid_provider.html).