When an OAuth client presents an access token for validation, PingFederate acts as an OAuth authorization server and checks the expiration and the
other aspects of the access token. If the validation fails, PingFederate
returns an invalid_grant
error to the client.
When PingFederate authentication
sessions are enabled, you can optionally configure the access token validation process
to evaluate the authentication sessions of the users, or resource owners, before
returning the validation results to the clients. Depending on the features selected on
the Session Validation tab, PingFederate might
return an invalid_grant
error if the associated authentication session
has timed out, expired, is not found, or has been revoked. You can also configure
PingFederate to extend the authentication sessions upon successful validations.
When any session validation features are enabled, the associated session identifier (pi.sri) becomes available through the access tokens. For reference-style access tokens, PingFederate returns the associated session identifier in the response if the access token is valid. For JSON web token (JWT)-based access tokens, the session identifier is part of the access token. Through the session identifier, an OAuth client can contact the Session Management API and Session Revocation API endpoints to query the status of an authentication session, or to extend or revoke an authentication session.
The session validation features let you combine the status of access tokens and user authentication sessions. Because you can independently enable each feature per access token management (ATM) instance, you can customize unique API and web single sign-on (SSO) behaviors for your OAuth clients and users.The session validation features are most suitable for clients using the implicit grant type, which does not use refresh tokens. Clients using the authorization code grant type can still use session validation. However, they can only refresh their access tokens through ATM instances that have the session validation features disabled, other than the Include session identifier in access token feature.
When a client using the authorization grant type has an access token and sends a refresh token to an ATM instance, the following rules apply:
- If the ATM instance has Include session identifier in access token enabled and the other session validation features disabled, then the ATM instance can issue a new access token. If the original access token contains a session identifier, the new token will contain the same session identifier.
- If the ATM instance has any session validation feature enabled other than the
Include session identifier in access token feature, then
PingFederate returns an
unsupported_grant_type
error. - If the ATM instance has Include session identifier in access token disabled and the other session validation features disabled, then the ATM instance can issue a new access token, but with no session identifier.