When an OAuth client presents an access token for validation,
PingFederate acts as an OAuth authorization server and
checks the expiration and the other aspects of the access token. If the validation fails,
PingFederate returns an invalid_grant
error to the client.
When PingFederate authentication sessions are enabled, you can
optionally configure the access token validation process to evaluate the authentication
sessions of the users, or resource owners, before returning the validation results to
the clients. Depending on the features selected on the Session
Validation tab, PingFederate might return
an invalid_grant
error if the associated authentication session has
timed out, expired, is not found, or has been revoked.
You can also configure PingFederate to extend the authentication sessions upon successful validations.
When any session validation features are enabled, the associated session identifier (pi.sri) becomes available through the access tokens. For reference-style access tokens, PingFederate returns the associated session identifier in the response if the access token is valid. For JSON Web Token (JWT)-based access tokens, the session identifier is part of the access token. Through the session identifier, an OAuth client can contact the Session Management API and Session Revocation API endpoints to query the status of an authentication session, or to extend or revoke an authentication session.
The session validation features let you combine the status of access tokens and user authentication sessions. Because you can independently enable each feature per access token management (ATM) instance, you can customize unique API and web single sign-on (SSO) behaviors for your OAuth clients and users.