Configure static keys for use in private key JSON Web Token (JWT) OpenID Connect (OIDC) code flow instead of dynamically rotating keys to sign tokens as necessary.
- In your token provider configuration, make sure that you've set up an OAuth client.
If you haven't set up an OAuth client and are using PingFederate as the token provider, see managing OAuth clients.
- In PingAccess, make sure that you've generated or imported a key pair and then assigned it to a virtual host or HTTPS listener.
Static and dynamically rotating keys are used to sign self-contained access tokens, ID tokens, and JWTs for client authentication and OIDC request objects.
You must make changes in both PingAccess and the token provider to modify your signing key configuration. Make these changes as soon as possible to reduce potential disruptions.
- Dynamically rotating keys (default)
- PingAccess generates
and rotates keys automatically for OAuth and OpenID Connect.Note:
PingAccess uses the Signing Algorithm configured on the OAuth Key Management page for dynamic key rotation unless you have configured the signing algorithm on your web session. A signing algorithm configured on a web session takes priority over one configured on the OAuth Key Management page.
- Static keys
- Manually configure and rotate keys for OAuth and OpenID Connect to gain more control over key rotation.
To configure static signing keys:
Configure the Signing Algorithm on the associated web session. For more information, see step 8 of Creating web sessions.