---
title: Migrating external OAuth clients into PingFederate
description: You can migrate OAuth clients from other identity providers into PingFederate by temporarily defining additional valid audience values for authentication and authorization requests.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_migrating_external_oauth_clients
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_migrating_external_oauth_clients.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
section_ids:
  steps: Steps
---

# Migrating external OAuth clients into PingFederate

You can migrate OAuth clients from other identity providers into PingFederate by temporarily defining additional valid audience values for authentication and authorization requests.

You can define valid audience values using the `AdditionalAllowedAudiences` parameter in the `org.sourceid.oauth20.domain.AuthzServerManagerImpl.xml`.

The expanded audience values take effect wherever request objects and JSON Web Token (JWT) *(tooltip: \<div class="paragraph">
\<p>An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. You can find the industry standard in \<a href="https\://datatracker.ietf.org/doc/html/rfc7519">RFC 7519\</a>.\</p>
\</div>)*-based client authentication are supported.

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | Expanding allowed audience values can introduce significant security risks to your authentication and authorization clients. By allowing PingFederate to grant access to JWTs with additional audience values you risk granting unintended access to restricted services.You should only use this feature as a temporary measure while migrating clients into PingFederate, and remove expanded audience values after the migration is complete. |

## Steps

1. Open the `<pingfed-install>/pingfederate/server/default/data/config-store/org.sourceid.oauth20.domain.AuthzServerManagerImpl.xml` file.

2. Under the `<c:list name="AdditionalAllowedAudiences">` parameter, uncomment the `<c:ListItem>` line and replace the example value with a domain to authorize.

3. (Optional) For each additional audience value you want to authorize, add a new `<c:ListItem>` line.

4. After you've added all desired audience values, save and close the file.

5. Create new clients in PingFederate.

   Learn more in [Configuring OAuth clients](pf_configuring_oauth_clients.html).

6. Migrate your external OAuth clients into PingFederate.

   This process varies depending on your existing issuer.

7. After your migration is complete, open the `org.sourceid.oauth20.domain.AuthzServerManagerImpl.xml` file.

8. Delete or comment out the `<c:ListItem>` lines you previously added.

9. Save and close the file.