To access the functionality AM provides, import the required Java class or package, as follows:
var fr = JavaImporter( org.forgerock.openam.auth.node.api.Action, javax.security.auth.callback.NameCallback ); // Now use fr.Action, fr.NameCallback, and so on.
import org.forgerock.openam.auth.node.api.*; import javax.security.auth.callback.NameCallback;
You may need to allowlist the classes you use in scripts. Refer to Security.
You can use scripts to modify default AM behavior in the following situations, also known as contexts:
- Client-side authentication
Scripts that are executed on the client during authentication.
- Server-side authentication
Scripts are included in an authentication module within a chain and are executed on the server during authentication.
- Authentication trees
Scripts are included in an authentication node within a tree and are executed on the server during authentication.
- Policy conditions
Scripts used as conditions within policies.
- OIDC claims
Scripts that gather and populate the claims in a request when issuing an ID token or making a request to the
- OAuth 2.0 access tokens
Scripts that modify the key-value pairs contained within access tokens before they are issued to a client.
AM implements a configurable scripting engine for each of the context types that are executed on the server.
AM uses the following libraries:
Groovy version 3.0.10 to support scripting in Groovy
The scripting engines in AM have two main components: security settings and the thread pool.