Configure, modify, and edit the OAuth authorization servers in PingAccess.
If you plan to use Mutual TLS, modify the token provider to
provide the mtls_endpoint_aliases
object, with content defined by
RFC-8705, on the OpenID Connect (OIDC) well-known
configuration endpoint.
- Click Settings and then go to System > Token Provider > Common > OAuth Authorization Server.
- Optional: In the Description field, enter a description for the authorization server.
-
In the Targets field, enter one or more
hostname:port
pairs for the OAuth authorization server. Click + Add Target to add additional targets. - In the Introspection Endpoints field, specify the OAuth endpoint through which the token introspection operation is accomplished.
- Select the Audit check box to record requests to the OAuth authorization server to the audit store.
- Select the Secure option if the OAuth authorization server is expecting HTTPS connections.
-
From the Trusted Certificate Group list, select the
group of certificates to use when authenticating to the OAuth authorization
server.
PingAccess requires that the certificate in use by OAuth authorization server anchors to a certificate in the associated trusted certificate group.
- In the Client ID field, enter the unique identifier assigned when you created the PingAccess OAuth client within your OAuth authorization server.
-
Select a Client Credentials Type, then provide the
information required for the selected credential type.
- Secret – Enter the Client Secret assigned when you created the PingAccess OAuth client in the token provider.
- Mutual TLS – Select a configured Key Pair to use for mutual TLS client authentication.
- Private Key JWT – Select this option to use Private Key JSON web token (JWT). No additional information is required.
- Optional:
Select the Cache Tokens option to retain token details
for subsequent requests.
This option reduces the communication between PingAccess and OAuth authorization server.
- Optional:
Select the Token Time To Live check box to enter the
number of seconds to cache the access token.
A value of -1 means there is no limit. This value should be less than the OAuth authorization server token lifetime.
-
In the Subject Attribute Name field, enter the attribute
you want to use from the OAuth access token as the subject for auditing
purposes.
At runtime, the attribute's value is used as the Subject field in audit log entries for API Resources with policies that validate access tokens.
-
Select the Send Audience check box to send the URI the
user requested as the
aud
OAuth parameter for PingAccess to the OAuth 2.0 authorization server. -
To configure advanced settings, click Show
Advanced.
- To use a configured proxy, select the Use Proxy check box.
-
Click Save.
Note:
If the node is not configured with a proxy, requests are made directly to the token provider.