Identity Cloud

Token exchange scripting API

AM binds the following variables into OAuth2 May Act scripts:

clientProperties

A map of properties configured in the relevant client profile. Only present if AM correctly identified the client.

The keys in the map are as follows:

clientId

The URI of the client.

allowedGrantTypes

The list of the allowed grant types for the client. For details, refer to the Javadoc for GrantType.

allowedResponseTypes

The list of the allowed response types for the client.

allowedScopes

The list of the allowed scopes for the client.

customProperties

A map of any custom properties added to the client.

These properties can include lists or maps as sub-maps. For example, the script includes customMap[Key1]=Value1 as customMap > Key1 > Value1 in the object.

To add custom properties to a client, use the AM admin UI. Go to OAuth 2.0 > Clients > Client ID > Advanced, and update the Custom Properties field.

identity

Contains a representation of the identity of the resource owner.

logger

Write a message to the AM debug log.

In Identity Cloud, this corresponds to the am-core log source.

The name of the debug logger starts with scripts.OAUTH2_MAY_ACT.

requestProperties

A map of the properties present in the request. Always present.

The keys in the map are as follows:

requestUri

The URI of the request.

realm

The realm to which the request was made.

requestParams

The request parameters and posted data. Each value in this map is a list of one or more properties.

To mitigate the risk of reflection-type attacks, use OWASP best practices when handling these properties.

scopes

Contains a set of the requested scopes. For example:

[
  "read",
  "transfer",
  "download"
]
scriptName

The display name of the script. Always present.

session

Contains a representation of the user’s session object if the request contained a session cookie.

token

Contains a representation of the token to be updated. The token is a mutable object; changes update the resulting token.

Use the token.setMayAct(JsonValue value) method when performing token exchange. This adds the may_act claim to a token. Refer to Configure a new may act script.

Copyright © 2010-2022 ForgeRock, all rights reserved.