PingOne Advanced Identity Cloud

Server-side tokens

The CTS token store is the authoritative source for server-side tokens. PingOne Advanced Identity Cloud returns a reference to the token to the client, which does not contain any of the token information. In the following example, the reference is stored in the access_token property:

{
  "access_token": "sbQZuveFumUDV5R1vVBl6QAGNB8",
  "scope": "write",
  "token_type": "Bearer",
  "expires_in": 3599
}

Server-side tokens:

  • Are less vulnerable to tampering attacks because clients cannot access tokens other than to introspect them.

  • Are not cached in memory.

    Each time a client presents a token ID in a request, PingOne Advanced Identity Cloud checks if the token exists in the CTS token store in case it has been revoked. If it is available, PingOne Advanced Identity Cloud retrieves its information.

    Reading from and writing to the CTS token store has a performance impact.

  • Can only be introspected using a call to the authorization server.