Configure your ForgeRock Authorization Server
You need to set up your ForgeRock Identity Cloud or AM instance with an OAuth 2.0 client and suitable CORS configuration.
Configure an OAuth 2.0 client
Follow the instructions below to create the public OAuth 2.0 client the ForgeRock Token Vault requires:
In addition to the instructions above, perform the following steps:
-
Add the fully-qualified URL where you will host the Token Vault Proxy.
For example,
https://proxy.example.com.Add this value to either the Redirection URIs (self-managed AM) or the Sign-in URLs (Identity Cloud) property.
-
Enable refresh tokens in your ForgeRock authorization server:
-
Add
refresh_tokento either the Advanced > Response Types (self-managed AM) or the Access > Response Types (Identity Cloud) property. -
Ensure Refresh Token is added to either the Advanced > Grant Types (self-managed AM) or the Sign On > Grant Types (Identity Cloud) property.
Generally, we do not recommend the use of OAuth 2.0 refresh tokens with typical web-based applications, but using the ForgeRock Token Vault mitigates a number of the security concerns with using refresh tokens, so they can be enabled to allow refreshing the access tokens without user intervention.
-
Configure CORS
Follow the instructions below to configure CORS to allow the ForgeRock Token Vault to connect to your server:
In addition to the instructions above, perform the following steps:
-
Add the origins where you will host your main application and the Token Vault Proxy.
For example,
https://sdkapp.example.comandhttps://proxy.example.com, or when testing locallyhttp://localhost:5173andhttp://localhost:5174.Add these values to the Accepted origins property.