Each access token validator has an evaluation order index, which is an integer that determines the processing priority when multiple access token validators are configured. Lower values are processed before higher values.


Access tokens issued using the OAuth 2 client credentials grant type are issued directly to a client and do not contain a subject. Such tokens cannot be accepted by PingDirectory server.

Processing steps

  1. If an incoming HTTP request contains an access token, the token is sent to the access token validator with the lowest evaluation order index.
  2. The access token validator validates the access token. Validation logic varies by access token validator type, but the validator generally verifies the following information:
    • A trusted source issued the token.
    • The token is not expired.
  3. If the access token contains a subject, the access token validator uses its identity mapper to find a matching LDAP entry.
  4. If the access token validator is unable to validate the access token, it passes the token to the access token validator with the next lowest evaluation order index, and the previous two steps are repeated.
  5. HTTP request processing continues, and the policy request is sent to the HTTP service, such as the Directory REST API, for further evaluation.
  6. Using either the access token claims parsed by the access token validator or the LDAP entry found by the identity mapper, the HTTP service determines whether the request should be accepted and which access control rules should be applied. This access control behavior varies by each HTTP service.