On Security > Certificate & Key Management > OAuth & OpenID Connect Keys, you can specify whether PingFederate should use static or dynamically rotating keys for OAuth and OpenID Connect.


When using dynamically rotating keys, the number of key sets in memory is set to three for both signing and encryption keys. This number is not configurable. The key sets include pending, active, and retired. At each rotation cycle, a new set of pending keys is generated. The original pending set becomes the active set, the active set becomes the retired set, and the old retired set goes away. All three sets are published for signing keys. For encryption keys, only the active key set is published. The rotation period and RSA key size are configurable in the file <pf_install>/pingfederate/server/default/data/config-store/jwks-endpoint-configuration.xml.

The keys are used in the following manner.

PingFederate role Key usages
Authorization Server (AS) Sign self-contained access tokens for relying parties (RPs).
OpenID Provider (OP) Sign ID tokens for RPs.
Relying Party (RP) Sign JSON web tokens (JWTs) for authentication, sign OpenID Connect request objects, decrypt ID tokens, or any combination.