Identity Cloud

Token exchange scripting API

AM binds the following variables into OAuth2 May Act scripts:


A map of properties configured in the relevant client profile. Only present if AM correctly identified the client.

The keys in the map are as follows:


The URI of the client.


The list of the allowed grant types for the client. For details, refer to the Javadoc for GrantType.


The list of the allowed response types for the client.


The list of the allowed scopes for the client.


A map of any custom properties added to the client.

These properties can include lists or maps as sub-maps. For example, the script includes customMap[Key1]=Value1 as customMap > Key1 > Value1 in the object.

To add custom properties to a client, use the AM admin UI. Go to OAuth 2.0 > Clients > Client ID > Advanced, and update the Custom Properties field.


Contains a representation of the identity of the resource owner.


Write a message to the AM debug log.

In Identity Cloud, this corresponds to the am-core log source.

The name of the debug logger starts with scripts.OAUTH2_MAY_ACT.


A map of the properties present in the request. Always present.

The keys in the map are as follows:


The URI of the request.


The realm to which the request was made.


The request parameters and posted data. Each value in this map is a list of one or more properties.

To mitigate the risk of reflection-type attacks, use OWASP best practices when handling these properties.


Contains a set of the requested scopes. For example:


The display name of the script. Always present.


Contains a representation of the user’s session object if the request contained a session cookie.


Contains a representation of the token to be updated. The token is a mutable object; changes update the resulting token.

Use the token.setMayAct(JsonValue value) method when performing token exchange. This adds the may_act claim to a token. Refer to Configure a new may act script.

Copyright © 2010-2022 ForgeRock, all rights reserved.