Changing the default OIDC grant type
To change the Delegated Admin application’s default OpenID Connect (OIDC) grant type, use the PingFederate administrative console and the Delegated Admin config.js
file.
About this task
To improve authentication security, switch your default OIDC grant type to Authorization Code with Require Proof Key for Code Exchange (PKCE). The Authorization Code with PKCE grant type hides access tokens during authentication with JavaScript applications, in comparison to the Implicit grant type that displays access tokens in the URL redirect during OIDC authentication.
For more information, see OAuth Grant Types. |
The following example changes the default OIDC grant type from Implicit to Authorization Code with Require Proof Key for Code Exchange (PKCE).
Steps
-
In the PingFederate administrative console, go to Applications → OAuth → Clients.
-
From the Clients list, select the dadmin client.
-
In the Allowed Grant Types section:
-
Select the Authorization Code check box.
-
Clear the Implicit check box.
-
Select the Require Proof Key for Code Exchange (PKCE) check box.
-
Click Save.
-
-
From your
<server-root>
directory, open the Delegated Admin application’sconfig.js
file and set theAUTHENTICATE_WITH_PKCE
variable totrue
.Example:
/* * Indicates if this app should authenticate using the 'Authorization Code with PKCE' OAuth grant. * If true, the 'Authorization Code with PKCE grant will be used. If false, the 'Implicit' grant * will be used. * DEFAULT: window.AUTHENTICATE_WITH_PKCE = true; */ window.AUTHENTICATE_WITH_PKCE = true;
If you don’t already have the
AUTHENTICATE_WITH_PKCE
variable in yourconfig.js
file, you must add it.