Use the GET /oauth/accessTokenManagers/{{accessTokenManagerId}} endpoint to retrieve a specific token management plugin instance.

Path parameters

Parameter Value Description
accessTokenManagerId string(required) ID of token management plugin instance.

Status codes

Code Reason
200 Success.
403 PingFederate does not have its OAuth 2.0 authorization server role enabled. Operation not available.
404 Resource not found.

AccessTokenManager - An OAuth access token management plugin instance.

Property Type Description
accessControlSettings AtmAccessControlSettings Settings which determine which clients may access this token manager.
attributeContract AccessTokenAttributeContract The list of attributes that will be added to an access token.
configuration * PluginConfiguration Plugin instance configuration.
id * string The ID of the plugin instance. The ID cannot be modified once the instance is created.
Note: Ignored when specifying a connection’s adapter override.
name * string The plugin instance name. The name cannot be modified once the instance is created.
Note: Ignored when specifying a connection’s adapter override.
parentRef ResourceLink The reference to this plugin’s parent instance. The parent reference is only accepted if the plugin type supports parent instances.
Note: This parent reference is required if this plugin instance is used as an overriding plugin (e.g. connection adapter overrides)
pluginDescriptorRef * ResourceLink Reference to the plugin descriptor for this instance. The plugin descriptor cannot be modified once the instance is created.
Note: Ignored when specifying a connection’s adapter override.
selectionSettings AtmSelectionSettings Settings which determine how this token manager can be selected for use by an OAuth request.
sessionValidationSettings SessionValidationSettings Settings which determine how the user session is associated with the access token.

ResourceLink - A reference to a resource.

Property Type Description
id * string The ID of the resource.
location string A read-only URL that references the resource. If the resource is not currently URL-accessible, this property will be null.

PluginConfiguration - Configuration settings for a plugin instance.

Property Type Description
fields array[ConfigField] List of configuration fields.
tables array[ConfigTable] List of configuration tables.

ConfigTable - A plugin configuration table populated with values.

Property Type Description
inherited boolean Whether this table is inherited from its parent instance. If true, the rows become read-only. The default value is false.
name * string The name of the table.
rows array[ConfigRow] List of table rows.

ConfigRow - A row of configuration values for a plugin configuration table.

Property Type Description
defaultRow boolean Whether this row is the default.
fields * array[ConfigField] The configuration fields in the row.

ConfigField - A plugin configuration field value.

Property Type Description
encryptedValue string For encrypted or hashed fields, this attribute contains the encrypted representation of the field’s value, if a value is defined. If you do not want to update the stored value, this attribute should be passed back unchanged.
inherited boolean Whether this field is inherited from its parent instance. If true, the value/encrypted value properties become read-only. The default value is false.
name * string The name of the configuration field.
value string The value for the configuration field. For encrypted or hashed fields, GETs will not return this attribute. To update an encrypted or hashed field, specify the new value in this attribute.

AccessTokenAttributeContract - A set of attributes exposed by an Access Token Manager.

Property Type Description
coreAttributes array[AccessTokenAttribute] A list of core token attributes that are associated with the access token management plugin type. This field is read-only and is ignored on POST/PUT.
defaultSubjectAttribute string Default subject attribute to use for audit logging when validating the access token. Blank value means to use USER_KEY attribute value after grant lookup.
extendedAttributes array[AccessTokenAttribute] A list of additional token attributes that are associated with this access token management plugin instance.
inherited boolean Whether this attribute contract is inherited from its parent instance. If true, the rest of the properties in this model become read-only. The default value is false.

AccessTokenAttribute - An attribute for an Access Token’s attribute contract.

Property Type Description
name * string The name of this attribute.

AtmSelectionSettings - Selection settings for an access token management plugin instance.

Property Type Description
inherited boolean If this token manager has a parent, this flag determines whether selection settings, such as resource URI’s, are inherited from the parent. When set to true, the other fields in this model become read-only. The default value is false.
resourceUris array[string] The list of base resource URI’s which map to this token manager. A resource URI, specified via the ‘aud’ parameter, can be used to select a specific token manager for an OAuth request.

AtmAccessControlSettings - Access control settings for an access token management plugin instance.

Property Type Description
allowedClients array[ResourceLink] If ‘restrictClients’ is true, this field defines the list of OAuth clients that are allowed to access the token manager.
inherited boolean If this token manager has a parent, this flag determines whether access control settings are inherited from the parent. When set to true, the other fields in this model become read-only. The default value is false.
restrictClients boolean Determines whether access to this token manager is restricted to specific OAuth clients. If false, the ‘allowedClients’ field is ignored. The default value is false.

SessionValidationSettings - Session validation settings for an access token management plugin instance.

Property Type Description
checkSessionRevocationStatus boolean Check the session revocation status when validating the access token.
checkValidAuthnSession boolean Check for a valid authentication session when validating the access token.
inherited boolean If this token manager has a parent, this flag determines whether session validation settings, such as checkValidAuthnSession, are inherited from the parent. When set to true, the other fields in this model become read-only. The default value is false.
updateAuthnSessionActivity boolean Update authentication session activity when validating the access token.