Each access token validator possesses an evaluation order index, an integer that determines its processing priority. Lower values are processed before higher values.

The following image shows the validation process when using an access token validator with the SCIM token resource lookup method.

PingDataGovernance access token validator processing diagram
  1. If an incoming HTTP request contains an access token, the token is sent to the access token validator with the lowest evaluation order index.
  2. The access token validator validates the access token.

    Validation logic varies by access token validator type, but the validator generally verifies the following information:

    • A trusted source issued the token.
    • The token is not expired.

    If the token is valid, its active flag is set to true. The flag and other access token claims are added to the HttpRequest.AccessToken attribute of the policy request.

  3. If the access token contains a subject, the access token validator sets the user_token flag to true, and uses a token resource lookup method to fetch the token owner through the System for Cross-domain Identity Management (SCIM).

    A token resource lookup defines a SCIM filter that locates the token owner. If the lookup succeeds, the resulting SCIM object is added to the policy request as the TokenOwner attribute.


    For deployments that do not use SCIM, token owner attributes can be retrieved from other user store types by writing a token resource lookup method extension with the Server SDK. For more information, see Make a user's profile available in policies.

  4. If the access token validator is unable to validate the access token, it passes the token to the access token validator with the next lowest evaluation order index, and the previous two steps are repeated.
  5. HTTP request processing continues, and the policy request is sent to the policy decision point (PDP).
  6. Policies inspect the HttpRequest.AccessToken and TokenOwner attributes to make access control decisions.

Access tokens issued using the OAuth 2 client credentials grant type are issued directly to a client and do not contain a subject. An access token validator always sets the HttpRequest.AccessToken.user_token flag to false for such tokens, which are called application tokens, in contrast to tokens with subjects, which are called user tokens. Because authorization policies often grant a broad level of access for application tokens, you should configure such policies to always check the HttpRequest.AccessToken.user_token flag.

Access token validators determine whether PingDataGovernance Server accepts an access token and uses it to provide key information for access-control decisions, but they are neither the sole, nor the primary, means of managing access. The responsibility for request authorization falls upon the PDP and its policies. This approach allows an organization to tailor access-control logic to its specific needs.