Configuring a Refresh Token Token Processor instance
PingFederate validates refresh tokens used as subject tokens in OAuth token exchange processor policies.
Use the Instance Configuration tab on the Create Token Processor Instance page to configure a Refresh Token Token Processor instance.
Use this token processor when a token exchange processor policy must accept a subject token of type urn:ietf:params:oauth:token-type:refresh_token.
When processing an incoming refresh token, PingFederate looks up the associated persistent grant and can fulfill stored grant attributes from that grant.
For ID-JAG token exchange that uses an ID token as the subject token, use a JWT Token Processor 2.0 instance instead. Refresh tokens are better suited for long-running ID-JAG flows because they are longer-lived than ID tokens.
Learn more in the ID-JAG specification.
Before you begin
Use the Type tab on the Create Token Processor Instance page to begin configuring a Refresh Token Token Processor instance.
Learn more in Selecting a token processor type.
Steps
-
In the PingFederate admin console, on the Create Token Processor Instance page, click the Instance Configuration tab.
-
Review the configuration. This plugin type has no individual configurable fields.
-
Click Save.
Next steps
After you save the instance configuration, click the Extended Contract tab to continue configuring the token processor instance.
If you expose grant attributes from the Refresh Token Token Processor, the extended contract attribute name and the grant attribute name must match exactly, including case.
To use the processor in an ID-JAG flow, map it to the subject token type urn:ietf:params:oauth:token-type:refresh_token in a token exchange processor policy.