--- title: Before you begin description: Outlines the prerequisites and server configuration steps required before starting the JavaScript OIDC sign-on module tutorial for Advanced Identity Cloud. component: orchsdks page_id: orchsdks:oidc:try-it-out/javascript/aic/00_before-you-begin canonical_url: https://developer.pingidentity.com/orchsdks/oidc/try-it-out/javascript/aic/00_before-you-begin.html revdate: Thu, 2 Apr 2026 11:33:37 +0100 keywords: ["OAuth 2.0", "OpenID Connect", "Tutorial", "Source Code", "Integration", "SDK", "JavaScript", "Advanced Identity Cloud", "prerequisites"] section_ids: server_configuration: Server configuration --- # Before you begin [icon: circle-check, set=far]PingOne Advanced Identity Cloud [icon: js, set=fab]JavaScript * **Prepare** * [Download](01_download-sample-repo.html) * [Configure](02_configure_connection_properties.html) * [Run](03_test_the_app.html) To successfully complete this tutorial refer to the prerequisites in this section. The tutorial also requires a configured PingOne Advanced Identity Cloud tenant. * Node and NPM This sample requires a minimum Node.js version of `18`, and is tested on versions `18` and `20`. To get a supported version of Node.js, refer to the [Node.js download page](https://nodejs.org/en/download/). You will also need `npm` to build the code and run the samples. ## Server configuration This tutorial requires you to configure your PingOne Advanced Identity Cloud tenant as follows: > **Collapse: Task 1. Create a demo user** > > The samples and tutorials in this documentation often require that you have an identity set up so that you can test authentication. > > To create a demo user in PingOne Advanced Identity Cloud, follow these steps: > > 1. Log in to your PingOne Advanced Identity Cloud tenant. > > 2. In the left panel, click Identities > Manage. > > 3. Click [icon: plus, set=fa]New Alpha realm - User. > > 4. Enter the following details: > > * **Username** = `demo` > > * **First Name** = `Demo` > > * **Last Name** = `User` > > * **Email Address** = `demo.user@example.com` > > * **Password** = `Ch4ng3it!` > > 5. Click Save. > **Collapse: Task 2. Create an authentication journey** > > Authentication journeys provide fine-grained authentication by allowing multiple paths and decision points throughout the flow. Authentication journeys are made up of nodes that define actions taken during authentication. > > Each node performs a single task, such as collecting a username or making a simple decision. Nodes can have multiple outcomes rather than just success or failure. > > You'll need an authentication journey configured on your server to try out the **Journey** module. That journey must only use [nodes, and therefore callbacks, that the Orchestration SDKs supports](../../../../journey/compatibility.html#supported-authentication-journey-callbacks). > > | | | > | - | -------------------------------------------------------------------------------------------------------------- | > | | You can use the default **Login** journey that both Advanced Identity Cloud and PingAM include out-of-the-box. | > > To create your own authentication journey for use when testing the Orchestration SDKs, follow these steps: > > 1. In your PingOne Advanced Identity Cloud tenant, navigate to Journeys, and click [icon: plus, set=fa]New Journey. > > 2. Enter a name, such as `sdkUsernamePasswordJourney` and click Save. > > The authentication journey designer appears. > > 3. Drag the following nodes into the designer area: > > * **Page Node** > > * **Platform Username** > > * **Platform Password** > > * **Data Store Decision** > > 4. Drag and drop the **Platform Username** and **Platform Password** nodes onto the **Page Node**, so that they both appear on the same page when logging in. > > 5. Connect the nodes as follows: > > ![sdk username password journey idcloud en](../../../../_images/sdk-username-password-journey-idcloud-en.png)Figure 1. Example username and password authentication journey > > 6. Click Save. > **Collapse: Task 3. Register a confidential OAuth 2.0 client** > > Confidential clients are able to securely store credentials and are commonly used for server-to-server communication. For example, the "Todo" API backend provided with the SDK samples uses a confidential client to obtain tokens. > > To register a *confidential* OAuth 2.0 client application for use with the SDKs in PingOne Advanced Identity Cloud, follow these steps: > > 1. Log in to your PingOne Advanced Identity Cloud tenant. > > 2. In the left panel, click Applications. > > 3. Click [icon: plus, set=fa]Custom Application. > > 4. Select OIDC - OpenId Connect as the sign-in method, and then click Next. > > 5. Select Web as the application type, and then click Next. > > 6. In Name, enter a name for the application, such as `Confidential SDK Client`. > > 7. In Owners, select a user responsible for maintaining the application, and then click Next. > > | | | > | - | ---------------------------------------------------------------------------------- | > | | When trying out the SDKs, you could select the `demo` user you created previously. | > > 8. On the Web Settings page: > > 1. In Client ID, enter `sdkConfidentialClient` > > 2. In Client Secret, enter a strong password and make a note of it for later use. > > For example, `5tr0ngP@S5w0rd!` > > | | | > | - | --------------------------------------------------------------------------------------------------------------------------------------------- | > | | The client secret is not available to view after this step.If you forget it, you must reset the secret and reconfigure any connected clients. | > > 3. Click Create Application. > > PingOne Advanced Identity Cloud creates the application and displays the details screen. > > 9. On the Sign On tab, click Show advanced settings, and on the Access tab: > > 1. In Default Scopes, enter `am-introspect-all-tokens`. > > 10. Click Save. > **Collapse: Task 4. Register a public OAuth 2.0 client** > > Public clients do not use a client secret to obtain tokens because they are unable to keep them hidden. The Orchestration SDKs commonly use this type of client to obtain tokens, as they cannot guarantee safekeeping of the client credentials in a browser or on a mobile device. > > To register a *public* OAuth 2.0 client application for use with the SDKs in PingOne Advanced Identity Cloud, follow these steps: > > 1. Log in to your PingOne Advanced Identity Cloud tenant. > > 2. In the left panel, click Applications. > > 3. Click [icon: plus, set=fa]Custom Application. > > 4. Select OIDC - OpenId Connect as the sign-in method, and then click Next. > > 5. Select Native / SPA as the application type, and then click Next. > > 6. In Name, enter a name for the application, such as `Public SDK Client`. > > 7. In Owners, select a user that is responsible for maintaining the application, and then click Next. > > | | | > | - | ---------------------------------------------------------------------------------- | > | | When trying out the SDKs, you could select the `demo` user you created previously. | > > 8. In Client ID, enter `sdkPublicClient` > > 9. Select **Configure for SDK Sample Apps**. > > 10. Click Create Application. > > PingOne Advanced Identity Cloud creates the application and displays the details screen. > > 11. On the Sign On tab: > > 1. In Sign-In URLs, ensure the following values appear, or add them if they don't: > > `https://localhost:8443/callback.html` > > | | | > | - | ----------------------------------------------------------- | > | | Also add any other domains where you host SDK applications. | > > 2. In Grant Types, ensure the following values appear: > > `Authorization Code` > > `Refresh Token` > > 3. In Scopes, ensure the following values appear: > > `openid profile email address` > > 12. Click Show advanced settings, and on the Authentication tab, confirm the following properties: > > 1. In Token Endpoint Authentication Method, select `none`. > > 2. In Client Type, select `Public`. > > 3. Enable the Implied Consent property. > > 13. Click Save. > > The application is now configured to accept client connections from and issue OAuth 2.0 tokens to the example applications and tutorials covered by this documentation. > **Collapse: Task 5. Configure the OAuth 2.0 provider** > > The provider specifies the supported OAuth 2.0 configuration options for a realm. > > To ensure the PingOne Advanced Identity Cloud OAuth 2.0 provider service is configured for use with the Orchestration SDKs, follow these steps: > > 1. In your PingOne Advanced Identity Cloud tenant, navigate to Native Consoles > Access Management. > > 2. In the left panel, click [icon: plug, set=fa]Services. > > 3. In the list of services, click OAuth2 Provider. > > 4. On the Core tab, ensure Issue Refresh Tokens is enabled. > > 5. On the Consent tab, ensure Allow Clients to Skip Consent is enabled. > > 6. Click Save Changes. > **Collapse: Task 6. Configure CORS** > > [Cross-origin resource sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) (CORS) lets user agents make cross-domain server requests. In PingOne Advanced Identity Cloud, you can configure CORS to allow browsers from trusted domains to access PingOne Advanced Identity Cloud protected resources. For example, you might want a custom web application running on your own domain to get an end-user's profile information using the PingOne Advanced Identity Cloud REST API. > > The Orchestration SDK for JavaScript samples and tutorials use `https://localhost:8443` as the host domain, which you should add to your CORS configuration. > > If you are using a different domain for hosting SDK applications, ensure you add them to the CORS configuration as accepted origin domains. > > To update the CORS configuration in PingOne Advanced Identity Cloud, follow these steps: > > 1. Log in to your PingOne Advanced Identity Cloud tenant. > > 2. At the top right of the screen, click your name, and then select Tenant settings. > > 3. On the Global Settings tab, click Cross-Origin Resource Sharing (CORS). > > 4. Perform one of the following actions: > > * If listed, click PingSDK. > > * If there isn't an existing CORS configuration listed, click [icon: plus, set=fa]Add a CORS Configuration, select Ping SDK, and then click Next. > > The **Ping SDK** template contains many of the default values used in these tutorials. > > 5. In Accepted Origins: > > 1. Ensure `https://localhost:8443` is listed. > > 2. Add any DNS aliases you use to host your Orchestration SDK for JavaScript applications. > > 6. Complete the remaining fields to suit your environment. > > This documentation assumes the following configuration, required for the tutorials and sample applications: > > | Property | Values | > | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | > | `Accepted Origins` | `https://localhost:8443``http://localhost:9443` | > | `Accepted Methods` | `GET``POST` | > | `Accepted Headers` | `accept-api-version``x-requested-with``content-type``authorization``if-match``x-requested-platform``iPlanetDirectoryPro` \[[1](#_footnotedef_1 "View footnote.")]`ch15fefc5407912` \[[2](#_footnotedef_2 "View footnote.")]***[1](#_footnoteref_1). Cookie name value in PingAM servers.[2](#_footnoteref_2). In PingOne Advanced Identity Cloud tenants, go to **Tenant Settings > Global Settings > Cookie** to find this dynamic cookie name value. | > | `Exposed Headers` | `authorization``content-type` | > | `Enable Caching` | `True` | > | `Max Age` | `600` | > | `Allow Credentials` | `True` | > > | | | > | - | --------------------------------------------------------------------- | > | | Click Show advanced settings to be able to edit all available fields. | > > 7. Click Save CORS Configuration.