When receiving OAuth-protected API calls, PingAccess acts as an OAuth resource server, checking with the PingFederate OAuth authorization server on the validity of the bearer access token it receives from a client.
Prior to configuring an OAuth resource server, you must finish configuring the PingFederate administration.
If you plan to use Mutual TLS, you must make two changes to the PingFederate configuration:
- Enable the use of the secondary HTTPS port in PingFederate by editing the
<pf_install>/pingfederate/bin/run.properties
file and setting the
pf.secondary.https.port
value to a port value. For more information, see the PingFederate documentation. - Modify the openid-configuration.template.json file to add
the
mtls_endpoint_aliases
object, with content defined by RFC-8705. For more information about this file, see the PingFederate documentation.
To validate the bearer access token, a valid OAuth client must exist within the PingFederate OAuth authorization server.
This configuration is optional and necessary only if you plan to validate PingFederate OAuth access tokens.
To configure an OAuth resource server: