Authorize endpoint data provider

Use this plugin to configure the OAuth2 provider to return additional data from an authorization request, such as data from the user’s session or from an external service.

Default script: To view the default script, including the available script properties, refer to oauth2-authorize-endpoint-data-provider.js.

To view or modify the default script in the AM admin UI, go to Realms > Realm Name > Scripts and select OAuth2 Authorize Endpoint Data Provider Script.
Java interface: org.forgerock.oauth2.core.plugins.AuthorizeEndpointDataProvider
Java sample

Show Sample Code

/*
 * Copyright 2021-2022 ForgeRock AS. All Rights Reserved
 *
 * Use of this code requires a commercial software license with ForgeRock AS.
 * or with one of its affiliates. All use shall be exclusively subject
 * to such license between the licensee and ForgeRock AS.
 */

package org.forgerock.openam.examples;

import java.util.HashMap;
import java.util.Map;

import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.Token;
import org.forgerock.oauth2.core.plugins.AuthorizeEndpointDataProvider;

/**
 * Custom implementation of the Authorize Endpoint Data Provider
 * plugin interface {@link org.forgerock.oauth2.core.plugins.AuthorizeEndpointDataProvider}
 *
 * <li>
 * The {@code provide} method returns hard coded additional value.
 * </li>
 *
 */
public class CustomAuthorizeEndpointDataProvider implements AuthorizeEndpointDataProvider {

    @Override
    public Map<String, String> provide(Map<String, Token> tokens, OAuth2Request request) {
        Map<String, String> customMapping = new HashMap<String, String>();
        customMapping.put("additional", "field");
        return customMapping;
    }
}

Example authorization endpoint data provider plugin

Complete the following steps to implement an authorization endpoint data provider script that returns custom user session data:

Configure the authorization endpoint data provider script
Configure AM to use the authorization endpoint data provider script
Create an OAuth2 client for authorization
Try the sample authorization endpoint data provider plugin

To configure AM to use a Java authorization endpoint data provider plugin, refer to Configure AM to use a Java OAuth 2.0 plugin.

Configure the authorization endpoint data provider script

This task describes how to modify the default script to retrieve additional fields. To create a new script instead, refer to Manage scripts (UI), and reference the new script name when you configure the provider.

In the AM admin UI, go to Realms > Realm Name > Scripts, and click OAuth2 Authorize Endpoint Data Provider Script.
In the Script field:
- Enable the script by removing, or commenting out as in this example, the following block comments surrounding the function, on lines 40 and 90:
  // /* EXAMPLE ... // */
- For the purposes of this simple test, comment out the call to add data from a third party service:
  //addAdditionalDataFromExternalService();
Save your changes.

The default authorization endpoint data provider script is now amended to return a static key/value pair, "hello": "world", and to get the user’s IP address from the session data.

Configure AM to use the authorization endpoint data provider script

Perform this task to set up an OAuth2 provider to use the authorization endpoint data provider script.

Log in to the AM admin UI as an administrator.

For example, amAdmin.
Configure the provider to ensure the following properties are set:
- Authorize Endpoint Data Provider Plugin Type to SCRIPTED.
- Authorize Endpoint Data Provider Script to OAuth2 Authorize Endpoint Data Provider Script.
  
  If you created a new script rather than editing the default, you need to reference the new script name here.
Save your changes.

Create an OAuth2 client for authorization

Create an OAuth 2.0 client to use in the authorization request.

In the AM admin UI, go to Realms > Realm Name > Applications > OAuth 2.0 > Clients, and click Add Client.
Enter the following values:
- Client ID: myClient
- Client secret: forgerock
- Redirection URIs: https://www.example.com:443/callback
- Scope(s): access|Access to your data
Click Create.

AM is now prepared for you to perform an OAuth2 authorization request to try the sample plugin.

Try the sample authorization endpoint data provider plugin

$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "X-OpenAM-Username: demo" \
--header "X-OpenAM-Password: Ch4ng31t" \
--header "Accept-API-Version: resource=2.0, protocol=1.0" \
'https://openam.example.com:8443/openam/json/realms/root/realms/alpha/authenticate'
{
    "tokenId":"AQIC5wM…TU3OQ*",
    "successUrl":"/openam/console",
    "realm":"/alpha"
}

Note the SSO token value returned as tokenId in the output.

Invoke the authorization server’s /oauth2/authorize endpoint specifying the SSO token value in a cookie, and the following parameters:

client_id=myClient
response_type=code
redirect_uri=https://www.example.com:443/callback
decision=allow
csrf=SSO-token

For example:

$ curl --dump-header - \
--request POST \
--Cookie "iPlanetDirectoryPro=AQIC5wM…TU3OQ*" \
--data "scope=access" \
--data "response_type=code" \
--data "client_id=myClient" \
--data "csrf=AQIC5wM…TU3OQ*" \
--data "redirect_uri=https://www.example.com:443/callback" \
--data "state=abc123" \
--data "decision=allow" \
"https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/authorize"

If the authorization server is able to authenticate the user and the client, it returns a successful HTTP 302 response, for example:

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Cache-Control: no-store
Date: Mon, 30 Jul 2018 11:42:37 GMT
Accept-Ranges: bytes
Location: https://www.example.com:443/callback?code=g5B3qZ8rWzKIU2xodV&ipAddress=127.0.0.1&scope=access&iss=https%3A%2F%2Fopenam.example.com%3A8443%2Fopenam%2Foauth2&hello=world&state=abc123&client_id=myClient
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Content-Length: 0

As the example output indicates, the parameters injected by the authorization endpoint data provider script, ipAddress=127.0.0.1 and hello=world, are both appended to the redirect URL.

Authorization endpoint data provider scripting API

The following properties are available to authorization endpoint data provider scripts.

Binding Description

Binding	Description
`httpClient`	An HTTP client for making external HTTP requests.
`logger`	The logger instance for the script. Logger names use the format `scripts.OAUTH2_AUTHORIZE_ENDPOINT_DATA_PROVIDER.<script UUID>.(<script name>)`. Refer to Debug logging.
`scriptName`	The display name of the script.
`session`	The user’s session object if the request contains a session cookie. For details, refer to SSOToken.

httpClient

An HTTP client for making external HTTP requests.

logger

The logger instance for the script.

Logger names use the format scripts.OAUTH2_AUTHORIZE_ENDPOINT_DATA_PROVIDER.<script UUID>.(<script name>).

Refer to Debug logging.

scriptName

The display name of the script.

session

The user’s session object if the request contains a session cookie.

For details, refer to SSOToken.

AM 7.3.1