Use the Applications page to edit existing single page applications.
- Go to , and browse or search for the application that you want to edit.
- Click the application entry to open the details panel.
On the Overview tab, click the
Pencil icon and enter or edit the following:
A unique identifier for the application.
A brief description of the application.
A pictorial representation of the application.
Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format.
Home Page URL
The default home page for the application.
The URL to which the application redirects the end user for sign-on.Important:
To avoid issues with third-party cookies in some browsers, we recommend that you use a custom domain to give your PingOne environment the same parent domain as your authentication application. For more information, see Domains.
On the Configuration tab, click the
Pencil icon, and enter or edit the following:
The unique identifier for the application.
The shared secret for the application. Ensure that you protect the client secret and store it in a secure location. To update the client secret, click Generate New Secret. To revoke the previous client secret, click Revoke Previous Client Secret. For more information, see Rotating the client secret for an application.
The identifier for the environment that contains the application.
Select Code, Token, or ID Token for the response type.
For more information, see Response types.
Select Authorization Code, Implicit, Client Credentials, or Refresh Token for the grant type.
For more information, see Grant types.
Select a value for PKCE code challenge enforcement. This value determines how the application creates the code challenge from the code verifier.
For more information, see PKCE enforcement.Note:
PKCE enforcement is available for Authorization Code grant type applications only.
Refresh Token Configuration
Select this option to enable the Refresh Token grant type. You can specify the following:
- Refresh Duration
- The lifetime of the refresh tokens. If a value is not provided, the default value is 2592000, or 30 days. Valid values are between 60 and 2147483647.
- Refresh Token Rolling Duration
- How long the application can use the refresh
token grant type to obtain a new access token and
a new refresh token after the most recent user
authentication event. If a value is not provided,
the refresh token is valid forever. Valid values
are between 60 and
The refresh token rolling duration must be longer than the refresh token duration.
- Refresh Token Rolling Grace Period
- The amount of time that a rolled refresh token is still valid in the event that the client failed to receive an updated one during a roll. Valid values are between 0 and 86400 seconds. A value of 0 means that a refresh token becomes invalid after it’s rolled.
Additional Refresh Token Replay Protection
Outside of the optional rolling grace period, refresh tokens are intended for one-time use. For increased security, enable this option so that PingOne can invalidate both access and refresh tokens when a refresh token is reused. For more information, see Refresh token rotation.
The address to which PingOne forwards the OIDC response after authentication. The Redirect URI cannot contain a fragment component, such as
#somedata. For more information, see Redirection endpoint in the IETF documentation.
Allow Redirect URI patterns
Use a wildcard for flexibility in managing redirect URIs. See Redirect URIs.
Token Endpoint Authentication Method
Select one of the following:
- Client Secret Basic
- Client Secret Post
- Client Secret JWT
- Private Key JWT
JSON Web Key Set Method
Select JWKS URL or JWKS. Provide either the URL where PingOne can retrieve the JSON Web Key Set (JWKS) or the web key set itself. You can paste the JSON in one line or multiple lines.
JWKS Method is required for an application to send asymmetrically signed request objects. To use Private Key JWT for Token Endpoint Authentication Method, PingOne reuses the same JWKS URL or JWKS to process the private key JWT.Note:
- If Token Endpoint Authentication Method is set to Private Key JWT, you must provide the JWKS Method.
- If Token Endpoint Authentication Method is set to None, Client Secret Basic, Client Secret Post, or Client Secret JWT, if the JWKS Method is not provided and the application sends an RS256/384/512-signed request object to PingOne, PingOne returns an error.
Require Pushed Authorization Request
Require the application to send its authorization requests directly to PingOne, without going through the browser, which can safeguard sensitive information from end-user devices. If Require Pushed Authorization Request is not selected, the application can send plain authorization requests or pushed authorization requests, but pushed authorization requests are not required. For more information, see Pushed authorization requests.
Pushed Authorization Request Reference Timeout
Specify how long the pushed authorization request should be valid. The default value is 60 seconds.
Initiate Login URI
The application's login initiation endpoint for third-parties to begin the sign-on process for the application.
If provided, PingOne redirects users to this URI to initiate SSO to PingOne. The application is responsible for implementing the relevant OIDC flow when the Initiate Login URI is requested.
For more information, see Initiating Login from a Third Party in the OIDC specification. This URI is required if you want the application to show in the PingOne Application Portal. For more information, see Application portal.
Target Link URI
The URI for the application. If provided, PingOne redirects application users to this URI after the user is authenticated. The target_link_uri parameter value in Initiate Single Sign-On URL is also updated with the value specified here.
The URLs to which the browser can be redirected after a logout has been performed.
If you include a post_logout_redirect_uri query parameter in the /signoff request, with the same value that was set in the application, the browser will redirect the user to the matching URL.
Request Parameter Signature Requirement
Specify how the application sends the optional request parameter in its authorization requests.Click Compare options for a description of the different settings.
- Default: Allow the application to send authorization requests with or without the request parameter. If using the request parameter, the application must include a digital signature.
- Allow unsigned request parameters: Allow the application to send authorization requests with or without the request parameter. If using the request parameter, the application has the option to include a digital signature or not.
- Require signed request parameters: Require the application to use the request parameter and include a digital signature of it in its authorization requests.
For more information, see Request Parameter Signature Requirement.
- Allow any CORS-safe origin (default): Allows the application to access resources from a domain that is CORS-safelisted, according to the Fetch specification at https://fetch.spec.whatwg.org/#cors-safelisted-request-header.
- Allow specific origins: Allows the application to access
resources from a specific domain.
- Allowed origins: Specifies the allowed origin
domains for CORS. You can specify a domain pattern or a valid IPv4
address. If you use a domain pattern you can specify one wildcard to
match incoming requests. Note:
You cannot use the wildcard on the domain name.
For example, the following search patterns are valid:
The following patterns are not valid:
- Allowed origins: Specifies the allowed origin domains for CORS. You can specify a domain pattern or a valid IPv4 address. If you use a domain pattern you can specify one wildcard to match incoming requests.
- Disallow all origins: Don’t allow the application to access resources from a cross-origin domain.
After you make changes to the CORS Settings, it can take several minutes for the new settings to take effect, due to time-to-live configuration on the resource.
On the Resources tab, click the
Pencil icon and select the check boxes to add
appropriate OAuth scopes for the application. Click the Selected
scopes tab to see the scopes that are currently selected for the
The OAuth scopes determine the resources that the application can access. If you add OIDC scopes here, the application inherits the attributes associated with that scope.
On the Policies tab, click the
Pencil icon and select the authentication policies
for the application.
If you have a DaVinci license, you can select PingOne policies or DaVinci Flow policies, but not both. If you don’t have a DaVinci license, you’ll see PingOne policies only.
To use a PingOne policy, click + Add policies and then select the policies that you want to apply to the application. Click Add. The policies are applied in the order in which they appear in the list. PingOne evaluates the first policy in the list first. If the requirements of the policy are not met, PingOne moves to the next policy in the list. For more information, see Authentication policies for applications.
To use a DaVinci Flow policy, you must clear all PingOne policies. Click the Deselect all PingOne policies button. In the confirmation message, click Continue. Click the DaVinci Policies tab, and then select the policies that you want to apply to the application. PingOne applies the first policy in the list.
For OAuth-based applications, you can specify another policy in the acr_values parameter in the authorization request. The acr_values parameter specifies the sign-on policies that PingOne should use for authentication. You can include any policies assigned to the application. Specify either a single DaVinci policy by flow policy ID or one or more PingOne policies by name, separated by spaces or the encoded space character
%20. For example,
On the Attribute mappings tab, click the
Pencil icon and select a PingOne user attribute and map
it to an attribute in the application that you are adding.
For more information, see Customizing OIDC attributes for an application.
- Enter an application attribute and then select the corresponding PingOne attribute from the list.
Click the Gear icon to use the expression
builder to build an attribute mapping.
For more information, see Using the expression builder.
On the Access tab, click the
Pencil icon and enter or edit the following:
Application portal display
Determines whether an application icon appears in the application portal even if the user is allowed to access the application in the application portal based on the group membership policy. For more information, see Application access control.
Admin only access
Specifies that a user with an administrator role is required to access the application. The user must have one of the following roles:
- Organization Admin
- Environment Admin
- Identity Data Admin
- Client Application Developer
Group membership policy
Select the group membership policy for the application. For more information, see Groups.
- Click Save.