Configuring a sample PingFederate access token validator

Page created: 15 Jul 2022 |

Page updated: 9 Aug 2022

| 2 min read

To verify the access tokens that a authorization server issues, the access token validator uses HTTP to submit the tokens to server's token introspection endpoint.

Before using a access token validator, create a client that represents the access token validator in the configuration. This client must use the Access Token Validation grant type.

This step allows the authorization server to determine whether a token is valid.

Note:

Access tokens issued using the OAuth 2 client credentials grant type are issued directly to a client and do not contain a subject. Such tokens cannot be accepted by the directory server.

Because this step requires an outgoing HTTP request to the authorization server, the access token validator might perform slower than other access token validator types. The validation result is guaranteed to be current, which is an important consideration if the authorization server permits the revocation of access tokens.

In , create a client with the following properties:
- Client ID: Ping Identity
- Client authentication: Client Secret
- Allowed grant types: Access Token Validation

Take note of the client secret and use the directory server's dsconfig command to create an access token validator, as shown.


# Create an identity mapper that expects the token subject to be a uid
dsconfig create-identity-mapper \
	--mapper-name "User ID Identity Mapper" \
	--type exact-match \
	--set enabled:true \
	--set match-attribute:uid \
	--set match-base-dn:ou=people,dc=example,dc=com			
# Change the host name and port below, as needed
dsconfig create-external-server \
  --server-name "PingFederate External Server" \
  --type http \
  --set base-url:https://example.com:9031
# Create the Access Token Validator
dsconfig create-access-token-validator \
  --validator-name "PingFederate Access Token Validator" \
  --type ping-federate \
  --set enabled:true \
  --set "authorization-server:PingFederate External Server" \
  --set client-id:PingDataGovernance \
  --set "client-secret:<client secret>"
  --set evaluation-order-index:2000
  --set "identity-mapper:User ID Identity Mapper"

Replace <client secret> with the client secret value generated by the client.