PingFederate uses a pre-installed HSQLDB database as its persistent grant datastore after the initial setup.

CAUTION:

Use the built-in HSQLDB only for trial or training environments. For testing and production environments, always use a secured external storage solution for proper functioning in a clustered environment.

Testing involving HSQLDB is not a valid test. In both testing and production, it may cause various problems due to its limitations and HSQLDB involved cases are not supported by PingIdentity.

Authorization grants obtained by OAuth clients in the following manners are considered persistent.

  • Grants obtained or updated by using the Authorization Code, Resource Owner Credentials, or Device Authorization grant type, in conjunction with the Refresh Token grant type.

    If the use cases involve mapping attributes from authentication sources (IdP adapter instances or IdP connections) or Password Credential Validator (PCV) instances to the access tokens (directly or through persistent grant extended attributes), such attributes and their values are stored along with the persistent grants so that they can be reused when clients subsequently present refresh tokens for new access tokens.

  • Grants obtained or updated by using the Implicit grant type, for which PingFederate is configured to reuse existing persistent grants.

    If the use cases involve mapping attributes from authentication sources or PCV instances to the access tokens (directly or through persistent grant extended attributes), attribute values are obtained at runtime for each token request. No attributes or their values are stored with the persistent grants.

Persistent grants (and the associated attributes and their values, if any) remain valid until the grants expired or are explicitly revoked or cleaned up.

Note:

Attribute values are always stored encrypted when a directory is used. If a database server is used (including the internal HSQLDB database), attribute values are also stored encrypted by default.

Changing the default storage involves two tasks.

  1. Create the required data structure on the external storage medium.
  2. Modify two PingFederate configuration XML files.