Denying authentication applications access to the authorization endpoint - PingFederate - 10.3

PingFederate Server

bundle
pingfederate-103
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.3
category
Product
pf-103
pingfederate
ContentType_ce

You can deny authentication applications CORS access to the PingFederate OAuth authorization endpoint.

Authentication applications must be highly trusted because they have CORS access to the OAuth authorization endpoint /as/authorization.oauth2. They can use an existing session with PingFederate to get tokens for any OAuth client that does not require authentication. Browser-based applications need this level of access to use the redirectless mode.

If your deployment does not need this redirectless mode, you can deny authentication applications CORS access to the OAuth authorization endpoint. Applications will still have CORS access to the /pf-ws/authn/flows endpoint but will not be able to directly retrieve OAuth tokens.

  1. On the administrative console node, open the file authn-api-cors-configuration.xml in the server/default/data/config-store directory.
  2. Add the following line in the <con:config> section:
    <con:item name="urlPatterns">/pf-ws/authn/flows(/*)?</con:item>
  3. Restart PingFederate if it is running as a standalone instance. Otherwise, use the administrative console to replicate the change to the cluster.