Access token management
PingFederate supports multiple access token management (ATM) instances. You can configure different access token policies and attribute contracts for different OAuth clients. You can also control validation of access tokens to one or more resource servers.
When defining an ATM instance, you can customize various settings, including token format, lifetime, session validation settings, and attribute contract for this instance. You can also limit the ATM instance to a list of resource URIs, a set of clients in an access control list (ACL), or both.
For example, you can use the ACL to limit which clients can obtain access tokens from a particular ATM instance. You can also add a resource server client to the ACL of multiple ATMs instances, so that only the resource server client can submit token validation requests for access tokens issued by those ATM instances.
When there are multiple ATM instances, OAuth clients can specify the desired ATM instance by providing the access_token_manager_id
ATM ID or an aud
resource URI in their requests to the PingFederate OAuth authorization server at the /as/authorization.oauth2 authorization endpoint, the /as/token.oauth2
token endpoint, and the /as/introspect.oauth2
introspection endpoint. For resource server clients, you can configure on a per-client basis whether a resource server client must specify the desired ATM instance in its token validation requests at runtime. For more information, see Configuring OAuth clients.
At runtime, the PingFederate OAuth authorization server uses the following rules to determine which ATM instances to use:
-
PingFederate limits the eligible ATM instances to those that are available in the context of the request. For most requests, these are instances that have an attribute mapping defined in the Access Token Mapping window. For OAuth Assertion Grant requests, it is the set of instances for which a mapping is defined in the IdP connection. If configured, the ACL can also limit which ATM instances are eligible.
-
If the request comes with an
access_token_manager_id
oraud
parameter, PingFederate uses the information to determine the applicable ATM instance. -
If the request does not come with either parameter, for OAuth clients supporting the OpenID Connect protocol by including the
openid
scope value, PingFederate uses the ATM instance specified by the OpenID Connect policy associated with the client. For resource server clients, you can optionally configure PingFederate to use any eligible ATM instances for the purpose of token validation. -
If the request comes with neither of the two parameters nor the
openid
scope, PingFederate uses the default ATM instance of the client if configured, or the default ATM instance defined for the installation if eligible. For token validation requests, if resource server clients do not provide either theaccess_token_manager_id
oraud
parameter in their requests and the resource server clients have not been configured to validate against any eligible ATM instances, the same logic applies.
If no match can be found in the eligible list of ATMs, PingFederate aborts the request.