Ping Identity Data Governance Server - Mock Access Token Validator

Data Governance Server Documentation Index
Configuration Reference Home

Mock Access Token Validator

Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.

Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.

Mock Access Token Validators accept access tokens without validating the token's authenticity using a trusted authorization server or signing certificate. Mock Access Token Validators are intended for test use only and should never be enabled in production deployments or used to access sensitive data.

Bearer tokens accepted by the Mock Access Token Validator are plain text JSON objects. For example:
{"active":true,"sub":"user1","scope":"profile","client_id":"client1"}

In general, arbitrary access token claims may be used, and access token validity is solely determined by policies. Note that default policies require a boolean 'active' claim with a value of 'true'. The token owner is determined by the Access Token Validator's Token Resource Lookup Methods.

↓Parent Component
↓Properties
↓dsconfig Usage

Parent Component

The Mock Access Token Validator component inherits from the Access Token Validator

Properties

The properties supported by this managed object are as follows:

Basic Properties:	Advanced Properties:
↓ description	↓ subject-claim-name
↓ enabled	↓ client-id-claim-name
↓ evaluation-order-index	↓ scope-claim-name

Basic Properties

description

Description	A description for this Access Token Validator
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

enabled

Description	Indicates whether this Access Token Validator is enabled for use in Data Governance Server.
Default Value	None
Allowed Values	true false
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

evaluation-order-index

Description	When multiple Mock Access Token Validators are defined for a single Data Governance Server, this property determines the evaluation order for determining the correct validator class for an access token received by the Data Governance Server. Values of this property must be unique among all Mock Access Token Validators defined within Data Governance Server but not necessarily contiguous. Mock Access Token Validators with a smaller value will be evaluated first to determine if they are able to validate the access token.
Default Value	9999
Allowed Values	An integer value. Lower limit is 0.
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

Advanced Properties

subject-claim-name (Advanced Property)

Description	The name of the token claim that contains the subject, i.e. the logged-in user in an access token. If the claim specified by this property is present in the access token, then the PingDataGovernance Server will set the HttpRequest.AccessToken.user_token flag to "true" when authorizing HTTP requests and responses with the policy decision point.
Default Value	sub
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

client-id-claim-name (Advanced Property)

Description	The name of the token claim that contains the OAuth2 client ID.
Default Value	client_id
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

scope-claim-name (Advanced Property)

Description	The name of the token claim that contains the scopes granted by the token.
Default Value	scope
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured Access Token Validators:

dsconfig list-access-token-validators
     [--property {propertyName}] ...

To view the configuration for an existing Access Token Validator:

dsconfig get-access-token-validator-prop
     --validator-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Access Token Validator:

dsconfig set-access-token-validator-prop
     --validator-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Mock Access Token Validator:

dsconfig create-access-token-validator
     --validator-name {name}
     --type mock
     --set enabled:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Access Token Validator:

dsconfig delete-access-token-validator
     --validator-name {name}