PingFederate Server

Managing expired persistent grants in PingDS

When storing OAuth persistent grants on a PingDS server, you can configure time-to-live (TTL) settings in PingDS to remove expired data from your directory server.

You must configure PingFederate to use org.sourceid.oauth20.token.AccessGrantManagerLDAPPingDSV2Impl for access grant storage. Learn more in Configuring directories for grant storage.

About this task

In PingDS, you can use backend indexes to enable TTL for generalized time indexes. Learn more in Backend Index in the PingDS documentation.

Steps

  1. Disable the PingFederate cleanup task.

    For a clustered PingFederate environment, make these change on the console node. No changes are required on any of the engine nodes.

    1. Open the <pf_install>/pingfederate/server/default/data/config-store/timer-intervals.xml file in a text editor.

    2. Update the AccessGrantCleanerInterval value to 0.

    3. Save your changes.

    4. Restart PingFederate.

  2. Connect to the PingDS server.

  3. Update the index using the PingDS dsconfig utility.

    The dsconfig utility is interactive. You can also provide inputs as command arguments.

  4. To remove expired OAuth persistent grants, update the accessGrantExpiresTime index.

    $ dsconfig set-backend-index-prop \
 --hostname localhost \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --backend-name dsEvaluation \
 --index-name accessGrantExpiresTime \
 --set ttl-enabled:true \
 --set ttl-age:0\ s \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --no-prompt