AM 7.4.0

Scripting environment

AM supports server-side scripts written in either JavaScript or Groovy. Scripts used for client-side authentication must be written in JavaScript.

To access the functionality AM provides, import the required Java class or package, as follows:

  • JavaScript

  • Groovy

var fr = JavaImporter(
// Now use fr.Action, fr.NameCallback, and so on.
import org.forgerock.openam.auth.node.api.*;

You may need to allowlist the classes you use in scripts. Refer to Security.

You can use scripts to modify default AM behavior in the following situations, also known as contexts:

Client-side authentication

Scripts that are executed on the client during authentication.

Client-side scripts must be in JavaScript.

Server-side authentication

Scripts are included in an authentication module within a chain and are executed on the server during authentication.

Authentication trees

Scripts are included in an authentication node within a tree and are executed on the server during authentication.

Policy conditions

Scripts used as conditions within policies.

OIDC claims

Scripts that gather and populate the claims in a request when issuing an ID token or making a request to the userinfo endpoint.

OAuth 2.0 access tokens

Scripts that modify the key-value pairs contained within access tokens before they are issued to a client.

Scripting engine

AM implements a configurable scripting engine for each of the context types that are executed on the server.

AM uses the following libraries:

  • Mozilla Rhino version 1.7.14 to run JavaScript.

    Rhino has limited support for ES6 / ES2015 (JavaScript version 1.7). For more information, refer to Rhino ES2015 Support.

  • Groovy version 3.0.10 to support scripting in Groovy

The scripting engines in AM have two main components: security settings and the thread pool.

The scripting engines contain configuration for security settings and thread pool management.
Copyright © 2010-2024 ForgeRock, all rights reserved.