Scripting environment
AM supports scripts written in either JavaScript, or Groovy. Scripts used for client-side authentication must be written in JavaScript.
How to determine the JavaScript Engine Version
You can use a script to check the version of the JavaScript engine AM is using. You could temporarily add the following script to a Scripted Decision node, for example, to output the engine version to the debug log:
var rhino = JavaImporter(
org.mozilla.javascript.Context
)
var currentContext = rhino.Context.getCurrentContext()
var rhinoVersion = currentContext.getImplementationVersion()
logger.error("JS Script Engine: " + rhinoVersion)
outcome = "true"|
Ensure the following are listed in the Java class whitelist property of the scripting engine.
To view the Java class allowlist, go to Configure > Global Services > Scripting > Secondary Configurations. Select the script type, and on the Secondary Configurations tab, click engineConfiguration. |
AM uses the Mozilla Rhino JavaScript engine.
How to determine the Groovy engine version
You can use a script to check the version of the Groovy scripting engine AM is using. You could temporarily add the following script to a Scripted Decision node, for example, to output the engine version to the debug log:
logger.error("Groovy Script Engine: " + GroovySystem.version)
outcome = "true"|
Ensure the following are listed in the Java class whitelist property of the scripting engine.
To view the Java class allowlist, go to Configure > Global Services > Scripting > Secondary Configurations. Select the script type, and on the Secondary Configurations tab, click engineConfiguration. |
AM uses the Apache Groovy engine.
To access the functionality AM provides, import the required Java class or package, as follows:
var fr = JavaImporter(
org.forgerock.openam.auth.node.api,
javax.security.auth.callback.NameCallback
);
with (fr) {
...
}import org.forgerock.openam.auth.node.api.*;
import javax.security.auth.callback.NameCallback;You may need to allowlist the classes you use in scripts. See Security.
You can use scripts to modify default AM behavior in the following situations, also known as contexts:
- Client-side authentication
-
Scripts that are executed on the client during authentication.
Client-side scripts must be in JavaScript.
- Server-side authentication
-
Scripts are included in an authentication module within a chain and are executed on the server during authentication.
- Authentication trees
-
Scripts are included in an authentication node within a tree and are executed on the server during authentication.
- Policy conditions
-
Scripts used as conditions within policies.
- OIDC claims
-
Scripts that gather and populate the claims in a request when issuing an ID token or making a request to the
userinfoendpoint. - OAuth 2.0 access tokens
-
Scripts that modify the key-value pairs contained within access tokens before they are issued to a client.
AM implements a configurable scripting engine for each of the context types that are executed on the server.
The scripting engines in AM have two main components: security settings, and the thread pool.
