We are using Apache integration kit (modpf) for integrating web application with PingFederate as SP. We want to use PingFederate as OAuth server as well. Can we use same integration kit to validate access token generated by OAuth server? or are there any other libraries to do it?
One such library that I came across is mod_auth_openidc. Has anyone used it for validating access token?
You cannot use the Apache Integration Kit (OpenToken) to validate Oauth Tokens. They are completely different token types and formats.
However, Hans Zandbelt (from Ping Identity) actually wrote the mod_auth_openidc you link to and per its description, it does the following:
"It can also function as an OAuth 2.0 Resource Server, validating access tokens presented by OAuth 2.0 clients against an OAuth 2.0 Authorization Server."
mod_auth_openidc can also be used to provide SSO for Apache websites based on OpenID Connect, and thus substitute the mod_pf module that that provides SSO based on the OpenToken format and protocol. A sample configuration doing both:
OIDCProviderMetadataURL https://localhost:9031/.well-known/openid-configuration
OIDCSSLValidateServer Off
OIDCClientID ac_oic_client
OIDCClientSecret abc123DEFghijklmnop4567rstuvwxyzZYXWUT8910SRQPOnmlijhoauthplaygroundapplication
OIDCRedirectURI https://localhost/example/redirect_uri/
OIDCCryptoPassphrase <password>
OIDCOAuthIntrospectionEndpoint https://localhost:9031/as/token.oauth2
OIDCOAuthIntrospectionEndpointParams grant_type=urn%3Apingidentity.com%3Aoauth2%3Agrant_type%3Avalidate_bearer
OIDCOAuthIntrospectionEndpointAuth client_secret_basic
OIDCOAuthRemoteUserClaim Username
OIDCOAuthSSLValidateServer Off
OIDCOAuthClientID rs_client
OIDCOAuthClientSecret 2Federate
<Location /example/>
AuthType openid-connect
Require valid-user
</Location>
<Location /api>
AuthType oauth20
Require claim scope~\bprofile\b
</Location>