Authorization grants obtained by OAuth clients in the following manners are considered persistent.
- Grants obtained or updated by using the Authorization Code,
Resource Owner Credentials, or Device Authorization grant
type, in conjunction with the Refresh Token grant type.
If the use cases involve mapping attributes from authentication sources (IdP adapter instances or IdP connections) or Password Credential Validator (PCV) instances to the access tokens (directly or through persistent grant extended attributes), such attributes and their values are stored along with the persistent grants so that they can be reused when clients subsequently present refresh tokens for new access tokens.
- Grants obtained or updated by using the Implicit grant type, for
which PingFederate is configured to reuse existing persistent grants.
If the use cases involve mapping attributes from authentication sources or PCV instances to the access tokens (directly or through persistent grant extended attributes), attribute values are obtained at runtime for each token request. No attributes or their values are stored with the persistent grants.
Persistent grants (and the associated attributes and their values, if any) remain valid until the grants expired or are explicitly revoked or cleaned up. PingFederate provides two cleanup tasks for persistent grants. One task manages expired grants, while another task caps the number of grants based on a combination of user, client, grant type, and authentication context. PingFederate's persistent grant cleanup routine manages expired grants based on the Persistent Grant Max Lifetime policy setting.