Scripting OpenID Connect 1.0 Claims

The script is configured in the OAuth 2.0 provider. To configure a different script of the type OIDC Claims, go to Realms > Realm Name > Services > OAuth 2.0 Provider > OpenID Connect, and then select it in the OIDC Claims Script drop-down menu.

To examine the contents of the default OIDC claims script, go to Realms > Realm Name > Scripts, and then select the OIDC Claims Script.

For more information about scripting in AM, see Getting Started with Scripting.

OpenID Connect Claims Scripting API

The following properties are available to scripts:


Contains a map of the claims the server provides by default. For example:

  "sub": "248289761001",
  "updated_at": "1450368765"

A map of properties configured in the relevant client profile. Only present if the client was correctly identified.

The keys in the map are as follows:


The URI of the client.


The list of the allowed grant types (org.forgerock.oauth2.core.GrantType) for the client.


The list of the allowed response types for the client.


The list of the allowed scopes for the client.


A map of any custom properties added to the client.

Lists or maps are included as sub-maps. For example, a custom property of customMap[Key1]=Value1 is returned as customMap > Key1 > Value1.

To add custom properties to a client, go to OAuth 2.0 > Clients > Client ID > Advanced, and then update the Custom Properties field.


Contains a representation of the identity of the resource owner.

For more details, see the com.sun.identity.idm.AMIdentity class in the ForgeRock Access Management Javadoc.


Contains requested claims if the claims query parameter is used in the request, and Enable "claims_parameter_supported" is checked in the OAuth 2.0 provider service configuration; otherwise, this property is empty.

For more information see "Requesting Claims using the "claims" Request Parameter" in the OpenID Connect Core 1.0 specification.


  "given_name": {
    "essential": true,
    "values": [
      "Demo User",
      "D User"
  "nickname": null,
  "email": {
    "essential": true

A map of the properties present in the request. Always present.

The keys in the map are as follows:


The URI of the request.


The realm to which the request was made.


The request parameters, and/or posted data. Each value in this map is a list of one, or more, properties.


To mitigate the risk of reflection-type attacks, use OWASP best practices when handling these properties. For example, see Unsafe use of Reflection.


Contains a set of the requested scopes. For example:


The display name of the script. Always present.


Contains a representation of the user's session object if the request contained a session cookie.

For more details, see the com.iplanet.sso.SSOToken class in the ForgeRock Access Management Javadoc.

Read a different version of :