Authentication applications must be highly trusted because they have CORS access to the OAuth authorization endpoint /as/authorization.oauth2. They can use an existing session with PingFederate to get tokens for any OAuth client that does not require authentication. Browser-based applications need this level of access to use the redirectless mode.

If your deployment does not need this redirectless mode, you can deny authentication applications CORS access to the OAuth authorization endpoint. Applications will still have CORS access to the /pf-ws/authn/flows endpoint but will not be able to directly retrieve OAuth tokens.

  1. On the administrative console node, open the file authn-api-cors-configuration.xml in the server/default/data/config-store directory.
  2. Add the following line in the <con:config> section: 
    <con:item name="urlPatterns">/pf-ws/authn/flows(/*)?</con:item>
  3. Restart PingFederate if it is running as a standalone instance. Otherwise, use the administrative console to replicate the change to the cluster.