Identity Cloud

Customize OAuth 2.0 with plugins

AM includes several plugin points that let you extend OAuth 2.0 authorization server functionality, such as modifying access tokens or customizing how AM processes scopes.

Supported plugin points

The following table describes the OAuth 2.0 plugin points supported in AM.

Plugin Description

Modify the OAuth2 access token before the token is persisted or returned to the client.

Return additional data from an authorization request.

Evaluate and return an OAuth2 access token’s scope information.

Customize the set of requested scopes for authorize, access token, refresh token, and back channel authorize requests.

Fetch the resource owner’s information based on an issued access token.

How to build and use a custom OAuth 2.0 plugin

AM supports scripted custom plugins that are written in JavaScript. The following sections describe how to deploy a custom plugin.

Customize with a plugin script

AM provides a scripting engine and template scripts for you to extend OAuth 2.0 behavior by running scripts stored as configuration, rather than by updating code. Creating and modifying plugin scripts enables rapid development without the need to change or recompile core AM.

Create or modify an OAuth 2.0 plugin script

To create or edit a script that is saved for the current realm, you can use the AM admin UI. The sample scripts provide a good starting point for you to develop your own custom implementation.

For more information, see Scripting.

Configure AM to use an OAuth 2.0 plugin script

After creating your plugin script, you need to configure AM to use the plugin.

  1. In the AM admin UI, go to Realms > Realm Name > Services > OAuth2 Provider > Plugins to configure the OAuth 2.0 provider for the realm.

    Alternatively, to configure plugins at the client level, go to Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client Name > OAuth2 Provider Overrides.

  2. Set the Plugin Type attribute to SCRIPTED.

  3. Set the Script attribute to the name of the script you want to use.

    For example, for the scope validation plugin, select the name of your script from the Scope Validation Script drop-down list. This list contains all the scripts that are saved for the current realm for the particular plugin type, including any default scripts that AM provides. In the case of the scope validation plugin, the list displays all scripts of type OAuth2 Validate Scope.

    For further details about setting plugin configuration, see the OAuth2 provider configuration and Client overrides.

  4. Save your changes.

OAuth 2.0 scripting API

For information about the API available for implementing scripts, see:

  • The AccessToken interface provides methods that let you view or modify the data associated with an access token.

  • The AMIdentity interface represents an identity that is managed by AM.

  • The SSOToken interface contains SSO token and authentication information, as well as session-related properties.

The following properties are common to all OAuth 2.0 scripts. See individual plugins for additional properties specific to the script type.

Show script properties

The HTTP client for making external HTTP requests. Always present.


The logger instance particular to the script type. The output log files will be prefixed by a static string denoting the script type. Always present.


The display name of the script. Always present.

Copyright © 2010-2022 ForgeRock, all rights reserved.