PingFederate supports cross-origin resource sharing (CORS) for the following OAuth endpoints:

  • /as/token.oauth2
  • /as/revoke_token.oauth2
  • /idp/userinfo.openid
  • /pf-ws/rest/oauth/grants/
  • /pf/JWKS
  • /.well-known/openid-configuration
  • /as/bc-auth.ciba

As needed, administrators can add or remove allowed origins using the administrative console on the Authentication Application page. For more information, see Configuring an authentication application. Once configured, client-side web applications from the trusted origins are allowed to make requests to the PingFederate authorization server for the purpose of accessing protected resources, such as obtaining (or renewing) access tokens (with refresh tokens), presenting access tokens for revocation, querying additional claims (user attributes), and retrieving OpenID Provider configuration information and JSON Web Key Sets.