Configure, modify, and edit the OAuth
A standard framework that enables an application (OAuth client) to obtain access tokens from an
OAuth authorization server for the purpose of retrieving protected resources on a
resource server. authorization servers in
PingAccess.
If you plan to use Mutual TLS, modify the token provider to
provide the mtls_endpoint_aliases
object, with content defined by
RFC-8705, on the OpenID Connect (OIDC)
An authentication protocol built on top of OAuth that authenticates users and enables clients
(relying parties) of all types to request and receive information about authenticated
sessions and users. OIDC is extensible, allowing clients to use optional features such
as encryption of identity data, discovery of OpenID Providers (OAuth authorization
servers), and session management. well-known configuration endpoint
One end in a communication channel, typically a URI..
-
Click Settings and then go to .
- Optional:
In the Description field, enter a description for the
authorization server.
-
In the Targets field, enter one or more
hostname:port
pairs for the OAuth
A standard framework that enables an application (OAuth client) to obtain access tokens from an
OAuth authorization server for the purpose of retrieving protected resources on a
resource server. authorization server.
- Optional:
Click + Add Target to add additional
targets.
-
In the Introspection Endpoint field, specify the OAuth
endpoint through which the token introspection operation is accomplished.
Note:
If you've configured a remote token access validator on your PingAccess application
and try to remove the Introspection Endpoint or save without
configuring it on the OAuth Authorization Server tab, you get the
following error message:
Introspection endpoint is required as there are applications that use remote token validation.
Remove the remote access token validator before filling out your configuration on the
OAuth Authorization Server tab.
-
In the Token Endpoint field, enter the OAuth 2.0
Authorization Server’s token endpoint.
-
Select the Audit check box to record requests to the
OAuth authorization server to the audit store.
-
Select the Secure option if the OAuth authorization
server is expecting HTTPS connections.
-
In the Trusted Certificate Group list, select the group
of certificates to use when authenticating to the OAuth authorization
server.
PingAccess requires that the certificate
in use by OAuth authorization server anchors to a certificate in the
associated trusted certificate group.
-
In the Client ID field, enter the unique identifier
assigned when you created the PingAccess
OAuth client within your OAuth authorization server.
-
Select a Client Credentials Type, then provide the
information required for the selected credential type.
- Secret: Enter the Client
Secret assigned when you created the PingAccess OAuth client in the token
provider.
- Mutual TLS: Select a configured Key
Pair to use for mutual TLS client authentication.
- Private Key JWT: Select this option to use
Private Key JSON web token (JWT). No additional information is
required.
- Optional:
Select the Cache Tokens option to retain token details
for subsequent requests.
This option reduces the communication between PingAccess and OAuth authorization
server.
- Optional:
Select the Token Time To Live check box to enter the
number of seconds to cache the access token.
A value of -1 means there is no limit. This value should be less than the
OAuth authorization server token lifetime.
-
In the Subject Attribute Name field, enter the attribute
that you want to use from the OAuth access token as the subject for auditing
purposes.
At runtime, the attribute's value is used as the Subject field in audit log
entries for API
A specification of interactions available for building software to access an application or service. resources with policies that
validate access tokens.
-
Select the Send Audience check box to send the URI the
user requested as the
aud
OAuth parameter for PingAccess to the OAuth 2.0 authorization
server.
-
To configure advanced settings, click Show
Advanced.
-
To use a configured proxy, select the Use Proxy
check box.
-
Click Save.
Note:
If the node is not configured with a proxy, requests are made directly to
the token provider.