Configuring OAuth resource servers - PingAccess - 7.3

PingAccess

bundle
pingaccess-73
ft:publication_title
PingAccess
Product_Version_ce
PingAccess 7.3
category
Product
pa-73
pingaccess
ContentType_ce

When receiving OAuthOAuth A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.-protected APIapplication programming interface (API) A specification of interactions available for building software to access an application or service. calls, PingAccess acts as an OAuth resource server, checking with the PingFederate OAuth authorization server on the validity of the bearer access token it receives from a client.

Prior to configuring OAuth resource servers, you must finish configuring the PingFederate administration.

If you plan to use Mutual TLS, you must make two changes to the PingFederate configuration:

  1. Enable the use of the secondary HTTPS port in PingFederate by editing the <pf_install>/pingfederate/bin/run.properties file and setting the pf.secondary.https.port value to a port value. For more information, see the PingFederate documentation.
  2. Modify the openid-configuration.template.json file to add the mtls_endpoint_aliases object, with content defined by RFC-8705. For more information about this file, see the PingFederate documentation.

To validate the bearer access token, a valid OAuth clientOAuth clientThe application in an OAuth framework that requests access to resources. If the request is approved by the authorization server, the client is issued an access token for the resources. must exist within the PingFederate OAuth authorization server.

Note:

This configuration is optional and necessary only if you plan to validate PingFederate OAuth access tokens.

  1. Click Settings and then go to System > Token Provider > PingFederate > OAuth Resource Server.
  2. Enter the OAuth Client ID you defined when creating the PingAccess OAuth client in PingFederate .
    Info:

    Confirm that you selected Access Token Validation as the allowed grant type when configuring the OAuth client in PingFederate.

  3. Select a Client Credentials Type.
    • Secret – Enter the Client Secret assigned when you created the PingAccess OAuth client in PingFederate.
    • Mutual TLS – Select a configured Key Pair to use for Mutual TLS client authentication.
    • Private Key JWT – Select this option to use Private Key JSON web token (JWT). No additional information is required.
  4. In the Cache Tokens section of the OAuth Resource Server tab, select Yes to retain token details for subsequent requests.

    Otherwise, select No.

    Selecting Yes reduces communication between PingAccess and PingFederate.

  5. If Cache Tokens is enabled, specify the Token Time To Live by entering the number of seconds to cache the access token. The default value of -1 caches the token as long as the token is valid.
  6. In the Subject Attribute Name field, enter the attribute you want to use from the OAuth access token as the subject for auditing purposes, such as username.

    At runtime, the attribute’s value is used as the Subject field in audit log entries for API Resources with policies that validate access tokens. The attribute must align with an attribute in the OAuth access token attribute contract defined within PingFederate.

  7. If multiple access token managers are configured in PingFederate, select the Send Audience option to send the URI the user requested as the aud OAuth parameter to select an access token manager.
    Note:

    This option requires the access token management instances to be configured with appropriate Resource URIs. Resource URIURIURI (Uniform Resource Identifier) Identifies a web resource with a string of characters conforming to a specified format. matching is performed on a most-specific match basis.

  8. Optional: To disable the use of OAuth 2.0 token introspection, clear the Use Token Introspection Endpoint option.
  9. To save your changes, click Save.