Identity Cloud

Scope validation plugin

Use this plugin to configure the OAuth 2.0 provider to validate the set of requested scopes against the allowed scopes and, optionally, to modify the list of valid scopes.

The plugin comprises four functions that let you customize the validation of scopes at the following endpoints:

Function / Method Endpoint




/authorize and /access_token





To view a sample script, including the available script properties, see oauth2-validate-scope.js

Example scope validation plugin

Complete the following steps to implement a scope validation script that modifies the list of valid scopes.

Prepare the scope validation script

This task decribes how to create a script to add an extra scope value.

  1. In the AM admin UI, go to Realms > Realm Name > Scripts, and click New Script.

  2. Enter a unique name for your script, select OAuth2 Validate Scope from the Script Type drop-down list, and click Create.

  3. Copy the oauth2-validate-scope.js script and paste in the Script field.

    • Update the script by inserting the following line of code preceding return scopes; on line 69:

  4. Save your changes.

The scope validation script is now amended to add customscope to the requested scopes.

Configure AM to use the custom scope validation script

Perform this task to set up the OAuth2 provider to use the scope validation script.

  1. Log in to the AM admin UI as an administrator.

  2. Configure the provider to ensure the following properties are set:

    • Scope Validation Plugin Type to SCRIPTED.

    • Scope Validation Script to the name of the script you created.

  3. Save your changes.

Create an OAuth2 client

Create an OAuth 2.0 client to use in the client credentials grant flow.

  1. In the AM console, go to Realms > Realm Name > Applications > OAuth 2.0 > Clients, and click Add Client.

  2. Enter the following values:

    • Client ID: myClient

    • Client secret: forgerock

    • Redirection URIs:

    • Scope(s): access

  3. In Advanced > Grant Types, add Client Credentials.

  4. Click Create.

  5. Save your changes.

AM is now configured for you to try the sample scope validation script.

Try the custom scope validation plugin script

To try your custom script, use the Client credentials grant flow.

  1. Send a POST request to the /oauth2/access_token endpoint, specifying the grant type as client_credentials, scope as access, and your client details.

    For example:

    $ curl \
    --request POST \
    --data "grant_type=client_credentials" \
    --data "client_id=myClient" \
    --data "client_secret=forgerock" \
    --data "scope=access" \
      "access_token": "M3M2Jb2SMjvgWhzNas2SVy2LALg",
      "scope": "access",
      "token_type": "Bearer",
      "expires_in": 3599
  2. Call the /oauth2/tokeninfo (Legacy) endpoint to inspect the custom scope values. Include the access token value obtained in the previous request.

    For example:

    $ curl \
      "access_token": "M3M2Jb2SMjvgWhzNas2SVy2LALg",
      "access": "",
      "grant_type": "client_credentials",
      "auditTrackingId": "f9a8395d-1bac-4cba-8b09-8cc336dc49e2-6810",
      "scope": ["access", "customscope"],
      "realm": "/alpha",
      "token_type": "Bearer",
      "expires_in": 3583,
      "authGrantId": "l3355H89FDSWsfdKJmvWssGk_oE",
      "customscope": "",
      "client_id": "myClient"

    Verify that the response contains both the requested scope and the additional scope, customscope.

OAuth 2.0 scope validation scripting API

The following properties are available to scope validation scripts, in addition to the common OAuth 2.0 properties.

Show script properties

The set of requested scopes.


The set of default scopes.


The set of allowed scopes.

Copyright © 2010-2022 ForgeRock, all rights reserved.