ForgeRock Developer Experience

Configure your ForgeRock Authorization Server

You need to set up your ForgeRock Identity Cloud or AM instance with an OAuth 2.0 client and suitable CORS configuration.

Configure an OAuth 2.0 client

Follow the instructions below to create the public OAuth 2.0 client the ForgeRock Token Vault requires:

In addition to the instructions above, perform the following steps:

  1. Add the fully-qualified URL where you will host the Token Vault Proxy.

    For example, https://proxy.example.com.

    Add this value to either the Redirection URIs (self-managed AM) or the Sign-in URLs (Identity Cloud) property.

  2. Enable refresh tokens in your ForgeRock authorization server:

    1. Add refresh_token to either the Advanced > Response Types (self-managed AM) or the Access > Response Types (Identity Cloud) property.

    2. Ensure Refresh Token is added to either the Advanced > Grant Types (self-managed AM) or the Sign On > Grant Types (Identity Cloud) property.

    Generally, we do not recommend the use of OAuth 2.0 refresh tokens with typical web-based applications, but using the ForgeRock Token Vault mitigates a number of the security concerns with using refresh tokens, so they can be enabled to allow refreshing the access tokens without user intervention.

Configure CORS

Follow the instructions below to configure CORS to allow the ForgeRock Token Vault to connect to your server:

In addition to the instructions above, perform the following steps:

  • Add the origins where you will host your main application and the Token Vault Proxy.

    For example, https://sdkapp.example.com and https://proxy.example.com, or when testing locally http://localhost:5173 and http://localhost:5174.

    Add these values to the Accepted origins property.