Configure your Authorization Server
You need to set up your PingOne Advanced Identity Cloud or PingAM instance with an OAuth 2.0 client and suitable CORS configuration.
Configure an OAuth 2.0 client
Follow the instructions below to create the public OAuth 2.0 client the Token Vault requires:
In addition to the instructions above, perform the following steps:
-
Add the fully-qualified URL where you will host the Token Vault Proxy.
For example,
https://proxy.example.com.Add this value to either the Redirection URIs (self-managed PingAM) or the Sign-in URLs (PingOne Advanced Identity Cloud) property.
-
Enable refresh tokens in your authorization server:
-
Add
refresh_tokento either the Advanced > Response Types (self-managed PingAM) or the Access > Response Types (PingOne Advanced Identity Cloud) property. -
Ensure Refresh Token is added to either the Advanced > Grant Types (self-managed PingAM) or the Sign On > Grant Types (PingOne Advanced Identity Cloud) property.
Generally, we do not recommend the use of OAuth 2.0 refresh tokens with typical web-based applications, but using the Token Vault mitigates a number of the security concerns with using refresh tokens, so they can be enabled to allow refreshing the access tokens without user intervention.
-
Configure CORS
Follow the instructions below to configure CORS to allow the Token Vault to connect to your server:
In addition to the instructions above, perform the following steps:
-
Add the origins where you will host your main application and the Token Vault Proxy.
For example,
https://sdkapp.example.comandhttps://proxy.example.com, or when testing locallyhttp://localhost:5173andhttp://localhost:5174.Add these values to the Accepted origins property.