PingFederate Server

OAuth persistent grants cleanup

PingFederate provides two cleanup tasks for persistent grants. One task manages expired grants, while another task caps the number of grants based on a combination of user, client, grant type, and authentication context.

Persistent authorizations include those obtained by OAuth clients in the following ways:

  • Grants obtained or updated using the authorization code, resource owner credentials, or device authorization grant type, in conjunction with the refresh token grant type

    If the use cases involve mapping attributes from authentication sources, such as IdP adapter instances or IdP connections, or password credential validator (PCV) instances to the access tokens, directly or through persistent grant-extended attributes, storing these attributes from authentication sources and their values along with the persistent grants maintains them for reuse when clients subsequently present refresh tokens for new access tokens.

  • Grants obtained or updated by using the implicit grant type, for which PingFederate is configured to reuse existing persistent grants

    If the use cases involve mapping attributes from authentication sources or PCV instances to the access tokens, runtime procedures obtain attribute values for each token request, but persistent grants do not store with attributes or their values.

    Persistent grants and any associated attributes and their values remain valid until the grants expire or until PingFederate explicitly revokes or cleans them up.

    PingFederate does not factor in the Persistent Grant Idle Timeout setting during grant cleanup. Ensure the grant datastore has the disk space needed to store expired grants because they exceeded the Persistent Grant Idle Timeout setting.