Persistent authorizations include those obtained by OAuth clients in the following ways:

  • Grants obtained or updated using the authorization code, resource owner credentials, or device authorization grant type, in conjunction with the refresh token grant type
    Note:

    If the use cases involve mapping attributes from authentication sources, such as IdP adapter instances or IdP connections, or password credential validator (PCV) instances to the access tokens, directly or through persistent grant-extended attributes, storing these attributes from authentication sources and their values along with the persistent grants maintains them for reuse when clients subsequently present refresh tokens for new access tokens.

  • Grants obtained or updated by using the implicit grant type, for which PingFederate is configured to reuse existing persistent grants
    Note:

    If the use cases involve mapping attributes from authentication sources or PCV instances to the access tokens, runtime procedures obtain attribute values for each token request, but persistent grants do not store with attributes or their values.

Persistent grants and any associated attributes and their values remain valid until the grants expire or until PingFederate explicitly revokes or cleans them up. PingFederate's persistent grant cleanup routine manages expired grants based on the Persistent Grant Max Lifetime policy setting.

Note: PingFederate does not factor in the Persistent Grant Idle Timeout setting during grant cleanup. Ensure the grant datastore has the disk space needed to store expired grants because they exceeded the Persistent Grant Idle Timeout setting.