To improve authentication security, switch your default OIDC grant type to Authorization Code with Require Proof Key for Code Exchange (PKCE). The Authorization Code with PKCE grant type hides access tokens during authentication with JavaScript applications, in comparison to the Implicit grant type that displays access tokens in the URL redirect during OIDC authentication.


For more information, see OAuth Grant Types.

The following example changes the default OIDC grant type from Implicit to Authorization Code with Require Proof Key for Code Exchange (PKCE).

  1. In the PingFederate administrative console, go to Applications > OAuth > Clients.
  2. From the Clients list, select the dadmin client.
  3. In the Allowed Grant Types section:
    1. Select the Authorization Code check box.
    2. Clear the Implicit check box.
    3. Select the Require Proof Key for Code Exchange (PKCE) check box.
    4. Click Save.
  4. From your <server-root> directory, open the Delegated Admin application's config.js file and set the AUTHENTICATE_WITH_PKCE variable to true.
     * Indicates if this app should authenticate using the 'Authorization Code with PKCE' OAuth grant.
     * If true, the 'Authorization Code with PKCE grant will be used. If false, the 'Implicit' grant
     * will be used. * DEFAULT: window.AUTHENTICATE_WITH_PKCE = true; 
    window.AUTHENTICATE_WITH_PKCE = true;

    If you don't already have the AUTHENTICATE_WITH_PKCE variable in your config.js file, you must add it.