Troubleshoot the ForgeRock Token Vault
Make sure your CORS configuration in your ForgeRock authorization server allows and accepts origins from both the origin of your main app and also the origin of the Token Vault Proxy.
These two origins should be unique from one another.
This is likely an error coming from the
/authorize request to collect OAuth 2.0 or OIDC tokens.
To diagnose the issue, copy the full
/authorize request URL from the network tab in your dev tools and paste it into your browser’s URL field to directly visit it.
A 400 error coming from the
/authorize endpoint could be caused by a misconfiguration. For example, if a consent page is rendering ensure you enabled the implied consent property in both your OAuth 2.0 Provider and the OAuth 2.0 client.
Make sure you are allowing the use of third-party cookies. For example, the incognito or private modes in Chromium browsers disable third-party cookies by default, as do Webkit-based browsers.
If you are receiving tokens from the
/access_token endpoint but they are not getting stored, this is likely caused by the Token Vault Interceptor not routing the requests to the Token Vault Proxy configured in your main app.
Only the Token Vault Proxy can store tokens when the ForgeRock Token Vault is enabled.
To fix this, ensure your config is identical between your main app’s SDK config found in
Config.set() and the config found in your Token Vault Interceptor file.
We recommend using environment variables, rather than hard-coding the values directly in each of the modules.
Your bundler is likely not bundling the Token Vault Interceptor into a single file, and language features are present in the bundle that these browsers do not support in a Service Worker context.
Ensure that your bundler configuration, such as Vite or Webpack, is creating a single file output and that it is down-leveled to
We recommend a dedicated bundle configuration for the Token Vault Interceptor, separate from your application bundle.
These errors often occur when the Token Vault Proxy itself is encountering an error, and not actually an error response from your ForgeRock authorization server.
Inspect the network tab in your dev tools to find the specific error message in the response, which will help you debug the underlying issue.