Keys for OAuth and OpenID Connect
You can use keys to manage a number of security roles in PingFederate.
On Security → Certificate & Key Management → OAuth & OpenID Connect Keys, you can specify whether PingFederate should use static or dynamically rotating keys for OAuth and OpenID Connect (OIDC).
Administrators can assign a unique key ID to each configured OAuth and OIDC key. These keys are then published with the corresponding key IDs in the JWKS endpoint.
PingFederate uses a single active RSA key for all supported RSA-based signing algorithms. Adding a single-valued alg parameter to the JWK that indicates the usage of the key with signing algorithm can be challenging. PingFederate addresses this by duplicating the same key with a modified key ID and alg value of RS256. The same RSA key with alg values of RS384 or RS512 can be published in the JWKS endpoint by assigning a unique key ID to each of these algorithm types.
This configuration is currently only available using the PingFederate Administrative API.
Supported algorithms are:
-
RS256
-
RS384
-
RS512
-
PS256
-
PS384
-
PS512
|
When using dynamically rotating keys, the number of key sets in memory is set to three for both signing and encryption keys. This number is not configurable. The key sets include pending, active, and retired. At each rotation cycle, a new set of pending keys is generated. The original pending set becomes the active set, the active set becomes the retired set, and the old retired set goes away. All three sets are published for signing keys. For encryption keys, only the active key set is published. The rotation period and RSA key size are configurable in the file |
The keys are used in the following manner.
| PingFederate role | Key usages |
|---|---|
Authorization Server (AS) |
Sign self-contained access tokens for relying parties (RPs). |
OpenID Provider (OP) |
Sign ID tokens for RPs. |
Relying Party (RP) |
Sign JSON web tokens (JWTs) for authentication, sign OIDC request objects, decrypt ID tokens, or any combination. |