Pingfederate jwt token Configure your OpenID Connect (OIDC) policy settings and the required and optional information for ID tokens. 0 refresh token protocol? May 14, 2020 · Will Travis (Ping Identity) 6 years ago Hello Kannan, The /pf/JWKS endpoint is used for the validation of ID tokens as described here, rather than Access Tokens. Jan 29, 2025 · We have already studied and played with token exchange in PingFederate. Clients can specify an ATM instance by providing the ATM ID (access_token_manager_id) or a resource URI (aud or resource) in their requests to the PingFederate OAuth AS. Note that token exchange was introduced in 10. . 1, PingFederate allows for revocation of JWT Access Tokens by leveraging the Session Revocation List. Access tokens that use the reference-token data model provide a reference to some set of attributes. This API does so by providing access to the current state of the flow as an end user steps through a PingFederate authentication policy. We're interested in storing PingFed JWT tokens that the user has requested/generated by authorising against, effectively giving themselves an access token that could be (for example) used in a long lived manner for REST endpoints. The OAuth 2. The request contains the token exchange grant type parameter, a subject token, and a subject token type parameter. The /pa/oidc/JWKS endpoint is used by the token provider’s JSON Web Token (JWT) token processor for signature verification. x to identify the issuing token manager, so that PingFederate will know which token manager to validate with. The endpoint does not require client authentication and includes configured Elliptic Curve (EC) and RSA-based keys. Aug 15, 2025 · When using encrypted JWTs, however, we encounter the issue that the PingFederate JWT Token Processor 1. This article describes how to integrate PingFederate 12. By allowing clients to revoke tokens when no longer needed, organizations can maintain tighter control over token lifecycles and prevent misuse. You can also control validation of access tokens to one or more resource servers. Oct 10, 2024 · JWT Token Management, Revocation, Storage for API long lived access tokens. I was using the "Access Token Management" to do so. Net Core (3. May 25, 2025 · Used jwt. 1 lab and tested reteiving a JWT access token. Reference tokens and JSON Web Token (JWT) tokens. PingFederate will generate the access token in one of two formats: a JWT or a Reference Token. You point to the OAuth access token manager (ATM) for the type of toke that will be received and the validation of the token is handled by the ATM. If the client representing PingFederate supports the Basic Client profile, PingFederate always receives an access token from the OP to retrieve an ID token. · Postman will receive and display the token. Spring Security auto-configures this from issuer-uri. 1 and 10. You could use either urn:ietf:params:oauth:grant-type:jwt-bearer or urn:ietf:params:oauth:grant-type:token-exchange with PingFederate. They are only applicable to clients using the private_key_jwt authentication method. JWT token decryption using ECDH-ES may fail. Otherwise, the OAuth AS returns a value of "active": false. 0 with RSA Cloud Authentication Service using My Page SSO (OIDC). PingFederate supports multiple access token management (ATM) instances. properties at start up. 0 Token Revocation Endpoint in PingFederate offers a powerful way to manage access tokens and refresh tokens in real-time. Nov 17, 2019 · Yes, they are Ping specific. Dec 13, 2023 · 3 - Does JWT access token validator work properly when public key rotation is enabled on PingFederate? 4 - Which claims does the JWT access token validator consider when it validates an access token? I have some cases where PingDataGovernance does not authorize some access tokens but the tokens apparently are ok. Before running say the client crentials grant flow what would be other steps? What should I do with the ATM or anything else? I do know how to get the access token, id token using authorization code flow. I would recommend discussing your use case with your Ping Customer Success Architect, who will be able to recommend flows and configurations that can meet your use case's needs. An authorization request can include one or more scope values. JwtBearer When configuring a JWT Token Processor instance to validate incoming JWTs, the system relies on a JSON Web Key Set (JWKS) to verify the token’s signature. Incorrectly configured properties in oidc. 4 and up. Hi Stephen, Exactly, the key that is currently available before rotation will minted in the token at the time of issuance. How does PingFederate get the public key or shared secret to validate the JWT token and extract information from the token? The Authorization Server Settings page provides control over the usage and behavior of PingFederate as an authorization server, including the policies and settings for various grant types, refresh-tokens, persistent grants, and ID tokens. This endpoint must be used in conjunction with the configuration of a JWT token processor instance in the token provider. Aug 7, 2023 · Your IDP authenticates the user and provides PingFederate with a SAML Assertion PingFederate process the assertion and makes a DB lookup to construct the JWT token For more information about the Access Token Manager, refer to Access Token Management. It is not possible to use an EC certificate as an SSL server certificate. Apr 19, 2020 · I was attempting to encrypt the plain text body of the access token. Users enter their credentials, these credentials are verified, and a unique encrypted token is generated that allows them to access online resources without providing their username and password to authenticate every request. These parameters include OAuth-defined standard parameters and parameters proprietary to PingFederate. This url is same as what you set under Applications on PingAccess. An authentication workflow can include sign-on policies that specify local authentication actions (login), multi-factor authentication actions, and other external sign-on actions. 3 is not currently supported with Oracle JDK 11 and 17. properties can cause PingFederate to fail to start. You can configure different access token policies and attribute contracts for different OAuth clients. May 8, 2024 · By default, PingFederate issues an opaque token known as the Internally Managed Reference Token. The OAuth token exchange allows resource servers to exchange access tokens for other security tokens that are required to call additional APIs, much like what the microservices architecture requires. If the token meets those criteria, the OAuth AS returns a JSON key/value pair of "active": true, and additional information about the token. It implies that the JWT is not created by the client. Is there a way for an OAuth client to choose between these ATMs using the OAuth parameter An OAuth token exchange begins when an OAuth client sends a token exchange request to the PingFederate OAuth server. 0. A JWT Token that has been signed using the RSA256 algorithm is required to be sent in a custom X-JWT-TOKEN request header. When receiving OAuth -protected application programming interface (API) calls, PingAccess acts as an OAuth resource server, checking with the PingFederate OAuth authorization server on the validity of the bearer access token it receives from a client. If the attributes are part of the contract and they have been filled when the access token was created they will appear in the introspection endpoint call. IdP sends a JWT token 2. Signed JWT access tokens (recommended for scale) Spring services validate tokens offline using jwks_uri from discovery. Alternatively, you may send the JWT to PingFederate for validation. It also handles the scenario where authentication is not required. Private_JWT_Bob) equals the client_id of the OAuth client that is being authenticated. I am Token-based Authentication Token-based authentication is an authentication strategy designed to enhance network security. In the Access Token Manager menu, select the jwt access token manager you previously created. Some of the calls are individual, others may be to demonstrate a flow of transactions needed to perform a use case. Beginning with PingFederate version 11. May 9, 2023 · PingFederate produces two types of access tokens. The PingFederate authentication application programming interface (API) is a JSON-based API that enables end-user interactions, such as credential prompts, to be handled by an external web application. Click Create a new On the Client Configuration Defaults tab, specify the default settings that are proprietary to PingFederate for clients created with the OAuth 2. For impersonation use cases, the request also contains an actor token and actor token type parameter. 1. 1), that we can use to revoke an OAuth Access Token? Jul 27, 2023 · Hi Maximillen, The pi. However, when I chose a "JWE Content Encryption Algorithm" and specified the corresponding "Asymmetric Encryption Key", I tested with a submission from postman and got back an encoded access token, but when I unencoded the access token the plain text was unencrypted. TLS 1. Basically need a customizable jwt access token to be got from pingfederate by code running inside a server Register a client is first step. This issue only arises if PingFederate is configured with static OAuth and OpenID Connect keys, a static key is stored on the HSM, and PingFederate is consuming a token encrypted with this key. PingFederate has to consume the token and calls external service to get the cookie data. The federation server creates a response containing a signed SAML assertion, or a JSON Web Token, and returns it to the SP through POST. Is there a possibility to accomplish token exchange with an incoming encrypted JWT? Nov 6, 2025 · Does PingFederate use the Issuance Criteria defined in Access Token Mapping that is associated with a Access Token Manager to validate a token? I did a quick test, it doesn't looks like that PingFederate use it to validate a token. Demonstrates using PingFederate as the JWT provider for an ASP. While this token type provides security, Neo4j requires access tokens in the JSON Web Token (JWT) format. Hi! The access token validation grant is used to validate an access token. This allows the target resource server to validate the access tokens locally or to send the access tokens to PingFederate for validation. In order to validate the Access Token, the application should make a call to the token endpoint /as/token. Sep 1, 2025 · By treating JWT not just as a token but as a core architectural element, organizations can ensure secure, scalable, and user-friendly authentication experiences. I am trying to hit the introspect end point as Authority with the token received from the client. The <pf_install>/pingfederate/bin/jwt. 3. This is a place to document calls to Ping APIs using Postman. May 1, 2020 · token-exchange is basically used for user impersonation and delegation purpose. This should be of the pattern: <virtual-host-on-pingaccess>:<application-port-for-pingaccess>. PingFederate begins to validate the properties defined in oidc. Claims are encoded JSON objects that include some information about a subject and are often used in Identity Security applications to transfer information about a user. Were you looking at the ID token PF sends or the session cookie JWT that PA creates PingFederate supports various client metadata, as described in the following table. Procedure Sign in to RSA Cloud Administration Console. Scope groups are not expanded in JSON web token (JWT)-based access tokens or token JWT Access Tokens are the outlier here. They are encoded for ease of transport, and you can encode them with this tool. From PingFederate's perspective, you can choose whether or not an nbf is present and what its value is through the ATM extended Aug 11, 2025 · Download the new artifact for the Zoom provisioner by going to Add-ons on the PingFederate downloads page Once the PingFederate instance has been running with the new Zoom provisioner installed, edit the existing connection. 0 specifications do not define a standard mechanism for access token validation. The Authentication API includes the flow orchestration Aug 10, 2022 · But this would need to be initiated by your client with PingFederate to do the swap first. e. 3. oauth2" to retrieve token using Client Credentials grant type. The following procedure describes how to use the Instance Configuration tab on the Create Token Processor Instance window to continue configuring a JWT token processor 2. 0 access token, how does this server validate the token? The OAuth 2. If the token coming in is JWT then you use the JWT token Aug 6, 2024 · Token Exchange with an encrypted JWT We want to use PingFederate (version 11. Were you looking at the ID token PF sends or the session cookie JWT that PA creates Apr 23, 2021 · The issuer would be the PingFederate base URL. Aug 6, 2024 · We want to use PingFederate (version 11. The configuration is described under Configure reference-token management. The PingFederate PingID SDK IDP Adapter enables integration with the PingFederate Authentication API for end-user interactions, for step-up authentication and transaction approval. This sample code uses Microsoft. Configure The PingOne Auth APIs provide services to query the authorization server, run authentication workflows, and receive access tokens from the authorization server. If the JWT contains an nbf, then the application's validation checks should ensure that the current time is after the time specified in the NBF in order for it to be considered usable. This section will demonstrate the manual method of validating an access token through code. Were you looking at the ID token PF sends or the session cookie JWT that PA creates Jan 29, 2020 · You may validate the JWT token locally using JWT libraries that are available on the platform on which your backend application is built. Switching between dynamically rotating and static keys in PingAccess doesn’t work the same way as it does in PingFederate. Jul 27, 2023 · The pi. The integrated Kerberos Token Processor accepts and validates Kerberos tokens through a configured Kerberos realm. When PF is producing a token, the audience can be: Defined as a static value within the access token Mar 25, 2020 · But this would need to be initiated by your client with PingFederate to do the swap first. Private key JSON web token (JWT) In the following sample expressions, the former retrieves a claim value from the private key JWT with which a client authenticates and the latter retrieves the private key JWT itself. Is this possible ? The client obtains a JSON web token (JWT) and uses it to request an access token from the AS. Configure RSA Cloud Authentication Service Perform these steps to configure RSA Cloud Authentication Service using My Page SSO (OIDC). oauth2 as described in the "Validating the token" section here. If the token is minted by PingFederate your application can call the introspection endpoint in PingFederate to validate the token. Net API. Aug 19, 2025 · If you're using OIDC, then PingFederate is 100% already giving back a JWT token with user's information (username, expiration of the token). Regards An OAuth assertion grant connection exchanges a SAML assertion or a JSON web token (JWT) for an OAuth access token with the PingFederate OAuth authorization server. Click “Get Token” · After entering details, click “Get Token”. I would suggest reviewing your configuration to make sure If your target application requires the associated access token, select Context as the source and Access Token as the value. Typically this is a Resource Server who is in possession of an access token, communicating with PingFederate and asking it (a) if the token is valid, and (b) what attributes/claims are associated with the access token. Mar 5, 2024 · When refresh tokens are used, you have two lifetime related settings: Persistent grant max lifetime: this is the duration which refreshing access tokens can occur once this time is finished, a new access token cannot be obtained by refreshing Persistent Grant Idle Timeout If an access token hasn't been refreshed within this timeout period, then the ability to refresh it will no longer be PingFederate includes a REST-based web service for OAuth client management. If it is a reference token, then the API will need to use PingFederate's introspection endpoint to validate the token. Jun 10, 2022 · Hi Bob One thing I would check, is to ensure that the sub value within your JWT (i. Authentication. But I am not sure exactly what your use case is, which grant type is your application doing with PingFederate and how do you expect the client to authenticate with PingFederate? It sounds like you want to use Private Key JWT to authenticate the client and that is This endpoint provides a list of JSON Web Keys (JWKs) used to validate, sign, and encrypt JSON Web Token (JWT). 0 and jwt-bearer is available in 8. Configuration procedure The following two steps assume that your environment does not Jul 31, 2023 · When an application validates a JWT, there are a number of checks that it performs. In this case, the best practise is to issue short lived AT's, and making use of refresh tokens. 2) to conduct a token exchange JWT->JWT. properties file contains settings that allow you to configure information required to interact with one or more authorization servers as a client. In a web application the access token is consumed by PingAccess for its own purposes and is only used to call the userinfo endpoint to refresh attributes or the cache depending on configuration. When a new JWT is issued after key rotates, it will use the new key issued from Jun 25, 2024 · To make sure and share as much as possible, I'm trying to map this into a PingAccess JWT Bearer Token from PingFederate where the json value exists in both the ID Token as well as the userinfo endpoint when checking the userinfo for the Access Token. Jan 5, 2021 · I would like to validate the PingFederate access token at . On the Access Token Mappings page, in the Context menu, select your authentication policy contract. PingFederate’s native support of subject tokens and actor tokens opens new use cases around delegation and impersonation that enrich the end-user experience as resources flow through seamlessly Nov 15, 2024 · The OAuth Bearer token processor is for when you are exchanging a token issued by the PingFederate instance for another access token or some other type of token that it can generate. This claim is configurable with the OIDC policy of you check to send the session in the id token. PingFederate should create a token with the cookie data and send response to the IdP. Aug 18, 2023 · We want to use PingFederate (version 11. I then decoded the token and the result for the scope claim was the same. This effort could also be handled by an API gateway / service bus architecture or by the API validating a JWT formatted token internally. 2 Get a token This section will explain how to get an OAuth2 access token (and optionally a refresh token) from the PingFederate infrastructure. Thanks Aug 1, 2025 · 5. With the client_secret_jwt authentication method, a client can choose to create a signed JWT when authenticating against PingFederate’s token endpoint, introspection endpoint, PAR endpoint, or CIBA endpoint instead of providing the client secret. (Home) B. It can either be provided the key or a JWKS endpoint provided by your application to get the signing key to verify the JWT. sri is the session identifier in PingFederate it is used as part of the logout process. Feb 4, 2022 · Hi Sekhar For this to be effective, your access tokens will need to be of type Internally Managed Reference Token. AspNetCore. Hello, We have a use case to see if we can use STS for this scenario. · If applicable, Postman will redirect you to an authentication page. JWT is the standard token format for conveying the information to be used for the integrity check. This… PingFederate is an enterprise federation server that enables user authentication and single sign-on. The token issuer must cryptographically sign all access tokens that the JSON web token (JWT) access token validator handles. 1) api end. PingFederate clients can gain access to the administrative API endpoint by providing a JSON Web Token (JWT). For JSON web token (JWT) bearer access tokens, you can extend the attribute contract with the following attributes. This avoids a call to PF on every request and scales linearly with CPU. Dec 13, 2023 · 3 - Does JWT access token validator work properly when public key rotation is enabled on PingFederate? 4 - Which claims does the JWT access token validator consider when it validates an access token? The token revocation endpoint allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed. Feb 10, 2021 · If PingFederate is exposing an API and an access token is supplied in that API call, then if the token has an audience, PingFederate will expect to be listed within it. Self-contained tokens are using a protected, time-limited data structure that contains metadata and claims to communicate the identity of the user or client over the wire. Jan 23, 2025 · That depends on the attribute contract defined for your access token manager in PingFederate. Sep 6, 2012 · When a client asks a resource server to get a protected resource with an OAuth 2. About this task It supports May 7, 2025 · Does PingFederate validate if a user account (in Active Directory for example) is Active or not when a Refresh token is sent to PF to retrieve a new Access Token? May 15, 2020 · I would suggest that your application use the JWT that is being passed by PingAccess to do a token exchange with PingFederate to get its own access token. Going to the introspection endpoint I do get a string delimited with spaces as I discussed before. Perform the following steps to create a new instance: Go to Applications > Access Token Management. The JWT Token must contain a claim in the body as follows: "hv"= "<SHA-256 hash of JSON body encoded in UTF-8>". A popular format would be JSON Web Tokens (JWT). Typically used by a support person who exchange his/ her JWT bearer token to impersonate as an end-user to request the end-user's resource to help in live-debugging of issue (or) exchange another JWT bearer token for a given token for a downstream systems. atm header was added in PingFederate 9. When using encrypted JWTs, however, we encounter the issue that the PingFederate JWT Token Processor 1. For more information on configuring a JWT in PingFederate, see Configuring JSON token management. PingFederate validates the ID token’s signature and that it’s within its validity window. You basically need to define: an access token manager using the JWT access token Define an authentication mapping for the proper grant type Map an access token to that authentication type Define the client (this would be your audience) that uses the access token you defined. If the request is authorized, PingFederate issues an access token to the client. we get 2 tokens one is access token and another one is id token Access token id_token Decode OIDC Postman Token by Using JSON web token debugger JSON POSTMAN TOKEN Dec 13, 2023 · 3 - Does JWT access token validator work properly when public key rotation is enabled on PingFederate? 4 - Which claims does the JWT access token validator consider when it validates an access token? I have some cases where PingDataGovernance does not authorize some access tokens but the tokens apparently are ok. So you would still need a custom token processor to handle your customer token. The client can also use the introspection endpoint to validate ID tokens issued to them. In both cases it was an array object. I'm doing a User Attribute Name into the JWT Claim Name. The process described in this section is specific to a PingFederate Use the Client page to control the usage and behavior of the applications requesting access to protected resources through the PingFederate OAuth authorization server (OAuth AS). 1. Also, how do I map the `nbf` claim to the correct value? Hello, We use the the PingFederate oauth in our app along with the pingone MFA for token authentication with our gateway. ms to visualize the jwt token issued by Cognito. Use Terraform to create configuration-as-code packages for PingFederate configuration. And, its very likely that most implementations are currently ensuring that the Resource Server clients authenticate to the token endpoint by using a client secret, TLS cert or JWT. Sep 30, 2021 · tokenEndpoint - This is the PingFederate API endpoint to get the JWT token. The pi. Jan 25, 2025 · The OAuth 2. I cannot reproduce what you are seeing. Jul 26, 2017 · I have my Pingfederate server Access Token Manager configured to use JWE, with AES256-CBC symmetric encryption. When deployed as an OpenID Connect Relying Party (RP), PingFederate authenticates through client secret and private key JSON web tokens (JWT). As we know PingFederate adds the 'iss' claim detail in the payload but the application team wants it in the header. Sep 2, 2014 · Is there any endpoint on PingFederate (version 7. Not familiar with the other two and I assume are tied to PingAccess managing the session. I would cache your previous tokens, Pingfederate can retain prior tokens on the interval in your PingFederate settings for JWKS rotation I shared in the above link - the default is 5 tokens. · Authenticate using your credentials. Oct 5, 2025 · If you're using OIDC, then PingFederate is 100% already giving back a JWT token with user's information (username, expiration of the token). Inherently more secure than passwords, tokens This is what i hear about self contained and reference tokens. From the Signing Algorithm list, select the specific algorithm for the incoming JWT, or to allow any supported signing algorithm to be used, select Allow Any. I think the best Before using a PingFederate access token validator, create a client that represents the access token validator in the PingFederate configuration. Aug 15, 2023 · We have an application that shares the embedded content as output after validating the Access token - JWT issued by PingFederate. Any documentation or whitepapers describing the authentication flow and associated steps in Ping Fed will be helpful. Perform the following steps to create a new instance: We use a new Access Token Manager instance of type JSON Web Tokens. Navigate to Applications > My Applications > Add an Application, and click Create May 14, 2024 · In this blog post, we will implement a Token-based Authentication system from scratch using Spring Boot 3 and Spring Security 6. 1 complains about the format of the incoming JWT. serviceUrl - This is the base url for your API service. For the validation to succeed, specific attributes in the JWK must match corresponding information in the JWT header. Make sure to clear previous configurations with regards to JWT in the existing connection. JSON Web Token (JWT) bearer access tokens are secure and self-contained tokens. Feb 3, 2021 · I setup a PingFederate 9. The following parameter indicates the grant type of the access token request. It can also contain more information if you like. Regards Jan 7, 2025 · In PingFederate under the covers, the implementation of WS-Trust and OAuth2 token exchange use the same basic functionality. As JWT Access Tokens are self-contained, historically they can not be revoked (only the related Refresh Token can be revoked). Jun 3, 2022 · Retrieving custom form parameter value during Token Endpoint call in Data Store I have a requirement to retrieve a custom form parameter value in custom DataStore when a client invokes PingFederate token endpoint "/as/token. This client must use the Access Token Validation grant type. Feb 6, 2025 · It states that "The client obtains a JSON web token (JWT) and uses it to request an access token from the AS" for the jwt-bearer grant type in PingFederate document. Reference tokens are opaque strings. Configuring an access token manager Create a JSON Web Token (JWT) access token management instance. There is no way to disable this header. I hope this helps. Mar 12, 2025 · How do I add the token "typ": "JWT" in my oauth token header?. The clientId and secret for individual services are the same ones you have setup on PingFederate JWT (JSON Web Token, pronounced “jot”) tokens are tokens for sharing claims, commonly used in OAuth 2. Next, I would look at the PingFederate server (turning debug logging on if necessary) to see if it contains any additional details regarding the cause of the failure. With unencrypted JWTs, this is also working fine. From PingFederate's perspective, you can choose whether or not an nbf is present and what its value is through the ATM extended Postman Postman May 25, 2018 · When PingFederate receives a private key JWT for client authentication, it validates the token according to the specification; as part of the validation it checks that the “aud” claim of the JWT matches the PingFederate token endpoint, using the PingFederate base URL. Andrew Expand Post by Andrew Sciberras (Ping Identity) PingFederate Private Key Jwt JWT Like Answer 9 answers 435 views For JSON Web Token (JWT) -based access tokens, the session identifier is part of the access token. The JWT access token validator validates a token’s signature using a public signing key provided by the issuer. Token management PingFederate supports multiple access token management instances, providing flexibility for enterprises where deployments require different token data models, token lifetimes, attribute contracts, token validation rules, or any combination of them for various clients. Is there a possibility to accomplish token exchange with an incoming encrypted JWT? Testing on the Postman API Network: This public workspace features ready-to-use APIs, Collections, and more from vijaicts. (3) External workload uses this jwt token issued by Cognito and exchange it for an access token from Microsoft Entra ID. Prepare the token provider to validate the signed JWT that it will receive from PingAccess. It serves as a global authentication authority that allows customers, employees, and partners to securely access all the applications they need from any device. Nov 22, 2022 · We have an application that shares the embedded content as output after validating the Access token - JWT issued by PingFederate. The system hosting the API should be the intended recipient / audience of the JWT. Third-party External API gateway PingFederate access token validator To verify the access tokens that a PingFederate authorization server issues, the PingFederate access token validator uses HTTP to submit the tokens to PingFederate Server’s token introspection endpoint. Switch to OAuth listed under a dropdown on the Authentication Method. Dec 31, 2019 · Hi Bob One thing I would check, is to ensure that the sub value within your JWT (i. When the client brings the access token to a resource server to access protected resources, the resource server may contact PingFederate to validate the access tokens. To always return this array in a token response, select the Multi-Valued checkbox. If you are issuing JWT access tokens, then it's likely that the clients may not use PingFederate for validation, and therefore your revocation will be ineffective. Jul 10, 2023 · We have an application integration for a client using pingfederate identity and as this is a native application we don't save client secret and the token request is without client secret. We use a new Access Token Manager instance of type JSON Web Tokens. This step allows the authorization server to determine whether a token Feb 4, 2022 · When an application validates a JWT, there are a number of checks that it performs. For example an access token is obtain to allow it to be included in a protected API call. However, I am not able to use my key to decrypt the token. For more information, see User attributes. A JWT (JSON Web Token; pronounced like the word “jot†) is a particular type of token used for sharing claims. The recipient of a self-contained token can validate the token locally by checking the signature, expected PingFederate supports multiple access token management (ATM) instances. Is there working sample code (in Java or NodeJS, or openssl) which can decrypt Pingfederate's JWE-encrypted tokens? Hi Wellington The aud within a JWT token should identify the expected recipient (from a usage perspective) of the token. This will be included in the ID Token issued by PingFederate if and only if the OAuth client requests the openid scope, OpenID Connect has been enabled in PingFederate, and the client policy in PingFederate doesn’t disallow it from using the openid scope. When PF is producing a token, the audience can be: Defined as a static value within the access token Nov 7, 2025 · Configure SSO with PingFederate as IdP{ "id": "PingFederateJWT-Demo", "tenants": [ "tenant04" ], "description": "Customer with PingFederate with JSON Web Token used Private Key JWT Select the Replay Prevention checkbox if the client should require a unique JSON web token (JWT) for each request. Feb 10, 2023 · It may also include scopes, and this will depend on its requirements and what it is trying to achieve with the access token. The OAuth client management service is provided primarily for organizations with several OAuth clients to allow programmatic management of OAuth clients and as an alternative to using the administrative console, the administrative API, or dynamic client registration. Hi Wellington The aud within a JWT token should identify the expected recipient (from a usage perspective) of the token. Learn about exporting configuration from environments, best practices, view example Terraform code, and follow configuration tutorials. Nov 22, 2022 · PingFederate STS to respond to a JWT token request. This grant type allows a client to use an existing trust relationship, expressed through a JWT, without a direct user approval step at the AS. Through the session identifier, an OAuth client can contact the Session Management API and Session Revocation API endpoints to query the status of an authentication session, or to extend or revoke an authentication session. Mar 25, 2020 · PingFederate can swap a token issued by another provider for its own, which PingAccess then could use to introspect with PingFederate. Feb 17, 2022 · I would like to understand how the Private Key JWT based authentication is supported in Ping Fed. Dynamic keys aren’t used and aren’t returned by the PingFederate JWKS endpoint /pf/JWKS. (Not shown) If the signature and the assertion, or the JWT, are valid, the SP establishes a session for the user and redirects the browser to the target resource. But this would need to be initiated by your client with PingFederate to do the swap first. The revocation request invalidates the actual token and possibly other tokens based on the same authorization grant. 3 - Does JWT access token validator work properly when public key rotation is enabled on PingFederate? 4 - Which claims does the JWT access token validator consider when it validates an access token? Aug 15, 2025 · 3) Token strategy (choose one per environment) A. Opaque tokens + introspection (revocation-friendly) Services call PingFederate /as Guides Security OAuth External OAuth PingFederate integration Configure PingFederate for External OAuth This topic describes how to configure Snowflake as an OAuth Resource and Ping Identity PingFederate as an External OAuth authorization server to facilitate secure, programmatic access to Snowflake data. We know the involved components and the flow, which is roughly: Token Processor -> Token Exchange Processor Policy -> Token Generator or ATM Currently, we have 1 token processor, 1 token exchange processor policy, and 2 ATMs. 0 instance. Regards Andrew Sciberras When static keys are enabled, PingFederate uses only static signing keys to sign ID tokens for OAuth clients or to sign JWTs for authentication or request objects (or both) for authorization servers. Sep 15, 2021 · It sounds like you want to use Private Key JWT to authenticate the client and that is doable and you can configure PingFederate to do that. Apr 8, 2023 · Hi Bob One thing I would check, is to ensure that the sub value within your JWT (i. This will not include validations that PingFederate can only perform during run time, such as validating the value of issuer against the value of iss from an ID token. mzgnf crgrqun xuf luwi rbkjr wvls ewsbtvxd fvp qjvby xvjvg igxvolo roap tknlrd nzlqi ortpcp