Identity Cloud

Token exchange scripting API

The following properties are available when creating a OAuth2 May Act Script:


A map of properties configured in the relevant client profile. Only present if the client was correctly identified.

The keys in the map are as follows:


The URI of the client.


The list of the allowed grant types (org.forgerock.oauth2.core.GrantType) for the client.


The list of the allowed response types for the client.


The list of the allowed scopes for the client.


A map of any custom properties added to the client.

Lists or maps are included as sub-maps. For example, a custom property of customMap[Key1]=Value1 is returned as customMap > Key1 > Value1.

To add custom properties to a client, go to OAuth 2.0 > Clients > Client ID > Advanced, and then update the Custom Properties field.


Contains a representation of the identity of the resource owner.


Write information to the AM debug logs.

Created log files have a prefix of scripts.OAUTH2_MAY_ACT.


A map of the properties present in the request. Always present.

The keys in the map are as follows:


The URI of the request.


The realm to which the request was made.


The request parameters, and/or posted data. Each value in this map is a list of one, or more, properties.

To mitigate the risk of reflection-type attacks, use OWASP best practices when handling these properties. For example, see Unsafe use of Reflection.


Contains a set of the requested scopes. For example:


The display name of the script. Always present.


Contains a representation of the user’s session object if the request contained a session cookie.


Contains a representation of the token to be updated. As a mutable object, any changes made are reflected in the resulting token.

Use the token.setMayAct(JsonValue value) method when performing token exchange. This adds the may_act claim to a token. See Configure a new may act script.

Copyright © 2010-2022 ForgeRock, all rights reserved.