PingFederate provides two cleanup tasks for persistent grants. One task manages expired grants, while another task caps the number of grants based on a combination of user, client, grant type, and authentication context.
Persistent authorizations include those obtained by OAuth clients in the following ways:
- Grants obtained or updated using the authorization code, resource owner credentials,
or device authorization grant type, in conjunction with the refresh token grant typeNote:
If the use cases involve mapping attributes from authentication sources, such as IdP adapter instances or IdP connections, or password credential validator (PCV) instances to the access tokens, directly or through persistent grant-extended attributes, storing these attributes from authentication sources and their values along with the persistent grants maintains them for reuse when clients subsequently present refresh tokens for new access tokens.
- Grants obtained or updated by using the implicit grant type, for which PingFederate
is configured to reuse existing persistent grantsNote:
If the use cases involve mapping attributes from authentication sources or PCV instances to the access tokens, runtime procedures obtain attribute values for each token request, but persistent grants do not store with attributes or their values.
Persistent grants, and any associated attributes and their values, remain valid until the grants expire or until PingFederate explicitly revokes them or cleans them up. PingFederate's persistent grant cleanup routine manages expired grants based on the Persistent Grant Max Lifetime policy setting.