On Security > Certificate & Key Management > OAuth & OpenID Connect Keys, you can specify whether PingFederate should use static or dynamically rotating keys for OAuth and OpenID Connect.

You can configure PingFederate to duplicate active and previous RSA keys. You can also add a custom key identifier for each of the. RSA SHA signing algorithms This will allow PingFederate to have the alg parameter in the JSON Web Key Set (JWKS) based on the signing algorithm.

Supported algorithms are:

  • RS256
  • RS384
  • RS512
  • PS256
  • PS384
  • PS512

When using dynamically rotating keys, the number of key sets in memory is set to three for both signing and encryption keys. This number is not configurable. The key sets include pending, active, and retired. At each rotation cycle, a new set of pending keys is generated. The original pending set becomes the active set, the active set becomes the retired set, and the old retired set goes away. All three sets are published for signing keys. For encryption keys, only the active key set is published. The rotation period and RSA key size are configurable in the file <pf_install>/pingfederate/server/default/data/config-store/jwks-endpoint-configuration.xml.

The keys are used in the following manner.

PingFederate role

Key usages

Authorization Server (AS)

Sign self-contained access tokens for relying parties (RPs).

OpenID Provider (OP)

Sign ID tokens for RPs.

Relying Party (RP)

Sign JSON web tokens (JWTs) for authentication, sign OpenID Connect request objects, decrypt ID tokens, or any combination.