To verify the access tokens that a PingFederate authorization server issues, the PingFederate access token validator uses HTTP to submit the tokens to PingFederate Server's token introspection endpoint.
This step allows the authorization server to determine whether a token is valid.
If you are using PingFederate 10.0 or earlier, ensure that PingFederate is configured to respond to OAuth and OpenID Connect (OIDC) requests by selecting the Enable OAuth 2.0 Authorization Server (AS) role and OpenID Connect check boxes as explained in Enabling the OAuth AS role. Starting with PingFederate 10.1, these items are always enabled.
Because this step requires an outgoing HTTP request to the authorization server, the PingFederate access token validator might perform slower than other access token validator types. The validation result is guaranteed to be current, which is an important consideration if the authorization server permits the revocation of access tokens.
Before attempting to use a PingFederate access token validator, create a client that represents the access token validator in the PingFederate configuration. This client must use the Access Token Validation grant type.
Example configuration
In PingFederate, create a client with the following properties:
- Client ID: PingDataGovernance
- Client authentication: Client Secret
- Allowed grant types: Access Token Validation
Take note of the client secret that is generated for the client, and use PingDataGovernance Server's dsconfig command to create an access token validator, as shown.
# Change the host name and port below, as needed
dsconfig create-external-server \
--server-name "PingFederate External Server" \
--type http \
--set base-url:https://example.com:9031
# Create the Access Token Validator
dsconfig create-access-token-validator \
--validator-name "PingFederate Access Token Validator" \
--type ping-federate \
--set enabled:true \
--set "authorization-server:PingFederate External Server" \
--set client-id:PingDataGovernance \
--set "client-secret:<client secret>"
--set evaluation-order-index:2000
# Match the token's subject (sub) claim to the uid attribute
# of a SCIM resource
dsconfig create-token-resource-lookup-method \
--validator-name "PingFederate Access Token Validator" \
--method-name "User by uid" \
--type scim \
--set scim-resource-type:Users \
--set 'match-filter:uid eq "%sub%"' \
--set evaluation-order-index:1000Replace <client secret> with the client secret value generated by the PingFederate client.