Identity Cloud

Scripted Decision node

Runs a script during authentication.

The script defines the possible outcome paths by setting one or more values of a string variable named outcome. For more information on creating scripts, refer to Auth scripting. Evaluation continues along the outcome path that matches the value of the outcome variable when script execution completes.

All the inputs required by the script and the outputs produced by it must be declared in the node’s configuration or the script may fail. Even if the definition is null, it still needs to be declared. Use the wildcard * to include any available inputs or outputs.

For information about the API available for use in this node, refer to Scripted decision node API.

Outcomes

Configurable.

Properties

Property Usage

Script

Select the script to execute from the drop-down field.

Outcomes

Enter the possible strings that can be assigned to the outcome variable by the script. These strings provide the possible outcome paths.

Script Inputs

A list of state inputs required by the script. Defaults to *, which means everything currently stored in shared and transient state.

Sensitive data in transient state is upgraded to secure state if: * The node sends a callback to the user * A downstream node is detected that is requesting the data in the transient state as input

Unless the downstream node explicitly requests the secure state data by name, the authentication journey removes it from the node state after processing the next callback.

For example, a node in a registration journey stores a user’s password in transient state. The node sends a callback to the user before an inner tree node, downstream in the journey, consumes that password. As part of the callback, the journey assesses what to add to the secure state. It does this by checking the state inputs that downstream nodes in the journey require. Nodes that only request * are ignored, as this would result in putting everything that’s in transient state into secure state, and retaining sensitive information longer than necessary.

If a downstream node requires the password, it must therefore explicitly request it as state input, even if it lists the * wildcard as input.

Script Outputs

A list of state outputs produced by the script. Defaults to *, which means everything currently stored in state.

Copyright © 2010-2022 ForgeRock, all rights reserved.