---
title: Configuring OAuth token exchange
description: Configuring the OAuth authorization server to support OAuth token exchange involves configuring token exchange processor policies, token generator instances and token exchange generator groups, access token manager instances, and OAuth clients.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_config_oauth_token_exchange
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_oauth_token_exchange.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: September 26, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Configuring OAuth token exchange

Configuring the OAuth authorization server to support OAuth token exchange involves configuring token exchange processor policies, token generator instances and token exchange generator groups, access token manager instances, and OAuth clients.

## About this task

To configure OAuth token exchange, see the included topic links to perform the necessary steps.

|   |                                                                                                                                                                                                                                                                                                                                                                                   |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | [Temporary AWS security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) are security token service (STS) tokens. To exchange inbound STS tokens, use PingFederate's SAML 2.0 token processor and the configured SAML 2.0 token processor policy in the token exchange processor policy instance. The details depend on your requirements. |

## Steps

1. Define token exchange processor policies to handle incoming token exchange requests. See [Defining token exchange processor policies](pf_defining_token_exchange_processor_policies.html).

2. If you need token generator instances to generate the requested tokens, complete the following tasks.

   1. Configure the token generator instances. See [Managing token generators](help_tokengeneratortasklet_tokenpluginmgmtstate.html).

   2. Create token exchange generator groups. See [Creating token exchange generator groups](pf_creating_token_exchange_generator_groups.html).

   3. Map the attributes from the token exchange processor policies to the attributes from the token generator instances. See [Mapping token exchange attributes to token generator attributes](pf_mapping_token_exchange_attributes_token_generator_attributes.html).

3. Access token managers to generate the requested tokens.

   1. Configure the access token manager instances. See [Managing access token management instances](help_accesstokenmanagementtasklet_accesstokenmanagementstate.html).

   2. Map the attributes from the token exchange processor policies to the attributes from the access token manager instances. See [Mapping token exchange attributes to access token manager attributes](pf_mapp_token_exchang_attribut_to_access_token_manager_attribut.html).

4. Enable token exchange in the OAuth clients that will send the token exchange requests to the authorization server. See [Enabling token exchange in OAuth clients](pf_enabl_token_exchang_oauth_client.html).