Identity Cloud

Next-generation scripts

The next-generation scripting engine offers the following benefits:

  • A stable set of enhanced bindings that reduces the need to allowlist Java classes to access common functionality.

Ease of use
  • Simplify your scripts with fewer imports and more intuitive return types that require less code.

  • Easier debugging through clear log messages and a simple logging interface based on SLF4J.

  • Making requests to other APIs from within scripts is easier with a more intuitive HTTP client.

Reduced complexity
  • Simplify and modularize your scripts with library scripts by reusing commonly used code snippets as CommonJS modules.

    Reference library scripts from a next-generation script.

  • Access identity management information seamlessly through the openidm binding.


The following script types use the next-generation scripting engine:

These are the only script types that can use library scripts and next-generation bindings.

Migrate to next-generation scripts

To use next-generation bindings, you must migrate eligible legacy scripts.

The next-generation engine can’t use legacy scripts.

Where possible, you should migrate legacy scripts to take advantage of next-generation stability.

You can’t change the script engine version after you have created a script.

To migrate existing scripts, create a new script and convert your legacy code:

  1. Create a script and select Next Generation on the Choose Script Engine page.

  2. Copy and paste the legacy version of your script into the JavaScript field.

  3. Review any Java classes that you needed to allowlist to use in your legacy script.

    You can’t add Java classes to the next-generation allowlist.

    Instead, check if any next-generation bindings provide similar functionality, or reimplement the class as a library script. Library scripts let you add third-party code as reusable JavaScript modules that can be referenced from other scripts.

    If this isn’t possible, you can request the functionality to be included as a supported script binding in a future release.

  4. Update your bindings according to the API documentation for the specific script type.

    The following table provides links to examples of how to migrate common bindings to next-generation scripts.

    Binding Next-generation change

    Uses native JavaScript objects, similar to the Fetch API.

    Logger is now based on org.slf4j.Logger, instead of com.sun.identity.shared.debug.Debug.

    Use this binding to access the openidm scripting functions supported in IDM.


Call HTTP services with the httpClient.send method. HTTP client requests are asynchronous, unless the get() method is invoked on the returned object.

For more information, refer to Access HTTP services.

  • Legacy

  • Next-generation

var fr = JavaImporter(

var requestURL =
var request = new

request.setUri(requestURL);                 1
    "Bearer abcd-1234");                    2
    {"username": "demo"}));

var response =
    httpClient.send(request).get();         3

var responseCode =
    response.getStatus().getCode();         4

if (responseCode === 200) {
    action = fr.Action.goTo("true").build();
} else {
    action = fr.Action.goTo("false").build();
 // import an external library to get token
var authLib = require('authLib');
var bearerToken =

var options = {                             1
  method: "POST",
  headers: {
    "Content-Type": "application/json"
  token: bearerToken,                       2
  body: {
    username: "demo"

var requestURL =
var response = httpClient.send(
    requestURL, options).get();             3

if (response.status === 200) {              4
} else {

1 Set the request options as a native JavaScript object, instead of setting parameters on a Request object.
2 Use Library scripts to reuse common pieces of code; for example, to get an authentication token.
3 Call httpClient.send with the request URL and options as separate arguments, instead of a Request object.
4 Access response data directly using the methods and properties of the returned response object.


The com.sun.identity.shared.debug.Debug logger class is deprecated and replaced by org.forgerock.openam.scripting.logging.ScriptedLoggerWrapper.

ScriptedLoggerWrapper provides a subset of the methods offered by SLF4J.

For more information, refer to Log script messages.

  • Legacy

  • Next-generation

var messageEnabled = logger.messageEnabled();
logger.message("Message with arg {}", arg);

var warnEnabled = logger.warningEnabled();
logger.warning("Warn with arg {}", arg);

var errorEnabled = logger.errorEnabled();
logger.error("Error with arg {}", arg);
var traceEnabled = logger.isTraceEnabled();
logger.trace("Trace with arg {}", arg);

var debugEnabled = logger.isDebugEnabled();
logger.debug("Debug with arg {}", arg);

var infoEnabled = logger.isInfoEnabled();"Info with arg {}", arg);

var warnEnabled = logger.isWarnEnabled();
logger.warn("Warn with arg {}", arg);

var errorEnabled = logger.isErrorEnabled();
logger.error("Error with arg {}", arg);


The openidm binding lets you manage an IDM resource by calling scripting functions directly from a next-generation script.

The following CRUDPAQ functions are supported:

  • create

  • read

  • update

  • delete

  • patch

  • action

  • query

The following example shows the extensive code required in a legacy script to query the existence of a user by their email address in IDM, compared to the ease of using the openidm binding.

For further examples of how to use the openidm binding in your next-generation scripts, refer to Access IDM scripting functions.

For details of other supported functions, refer to Scripting functions.

The openidm binding provides administrative access to IDM functions. Use it with caution to prevent the exposure of sensitive data.

  • Legacy

  • Next-generation

function lookupUser (email) {
  try {
    var idmUserEndpoint =
         + '/openidm/managed/alpha_user?
        + email + '%22';
    var request = new
    var accessToken =
        transientState.get("idmAccessToken");     1

    request.setUri(idmUserEndpoint);              1
        'Bearer ' + accessToken);

    var httpResponse =
        httpClient.send(request).get();           1
    var responseCode =
    if (responseCode === 200) {
      var response = JSON.parse(
      if (response && response.result &&
            response.result.length > 0) {
        // User found
        return {
          success: true,
          user: response.result[0]};
      } else {
        // User NOT found
        return { success: true, user: null };
    } else {
      return {
        success: false,
        error: 'Error looking up user: ' + responseCode
  } catch (e) {
    return {
      success: false,
      error: 'Error querying user: ' + e.toString()
openidm.query("managed/user", {        1
    "_queryFilter":`/userName eq '${email}'`

1 Replace code that gets an idmAccessToken and uses the HTTP client object to invoke a request on an /openidm/* endpoint, with the direct use of the openidm binding.

Copyright © 2010-2024 ForgeRock, all rights reserved.