Token models and management
Successful OAuth transactions require an OAuth authorization server (AS) to issue tokens characterized by both security model and data model for use in authenticating an API call.
Token security model
A token security model refers to the conditions that must be met by a client to use a token on an API call. The currently supported model is a Bearer Token. A client’s presentation of the token – for example, as a parameter on the API call – to the resource server (RS) is interpreted as providing sufficient proof to the RS that the client received the same token from the OAuth AS.
Token data model
A token data model refers to whether the token carries identity and security information or acts as a pointer to the information.
- Self-contained tokens (JSON Web Tokens)
-
Contain identity and security information and attributes in a transport format such as JSON, signed by the AS and verified directly by the RS.
- Reference tokens (Internally Managed Reference Tokens)
-
Serve as a reference to some set of attributes. The RS must de-reference the token for the corresponding identity and security information at the OAuth AS that issued it.
Token management
PingFederate supports multiple access token management instances, providing flexibility for enterprises where deployments require different token data models, token lifetimes, attribute contracts, token validation rules, or any combination of them for various clients.