Identity Cloud

Scripting API

Identity Cloud provides the following scriptable extension points. Each extension point is associated with a script type, or a context.

Configuration provider scripts

Build a configuration map with custom values and add it to the authentication flow.

An authentication journey calls the script through a Configuration Provider node.

For a sample script, refer to config-provider-node.js.

OAuth 2.0 scripts

Extend authorization server behavior with the OAuth 2.0 scripts.

  • Access tokens

    Modify the key-value pairs contained within an OAuth 2.0 access token.

  • Authorize endpoint data provider

    Return additional data from an authorization request.

  • Token exchange

    Add a may_act claim for delegation or impersonation when performing token exchange.

  • OIDC claims

    Populate claims in a request when issuing an ID token or making a request to the OpenID Connect userinfo endpoint.

  • Scope evaluation

    Evaluate and return an OAuth 2.0 access token’s scope information.

  • Scope validation

    Customize the set of requested scopes for authorize, access token, refresh token, and back channel authorize requests.

SAML 2.0 scripts

Customize your SAML 2.0 single sign-on implementation:

  • IDP adapter

    Alter the processing of the authentication request during a SAML 2.0 journey, such as to redirect the user before single sign-on takes place or before a failure response is sent.

  • IDP attribute mapper

    Map user-configured attributes to SAML 2.0 attribute objects to insert into the generated SAML 2.0 assertion.

Journey decision node scripts

This extension point lets you write a script to determine the path of an authentication journey. The script provides bindings for accessing data in request headers, shared state, and user session data. This data helps to provide the context for you to decide the possible paths a user could take.

An authentication journey calls the script through a Scripted Decision node.

For more information, refer to the Scripted decision node API.

Library scripts

As part of the next-generation scripting engine, library scripts let you reuse common functionality in Scripted Decision node scripts.

For more information, refer to the Reuse scripts.

Scripted policy conditions

Use this scriptable extension point to tailor the actions that Identity Cloud takes as part of policy evaluation. The script lets you access a user’s profile information, use that information in HTTP calls, and make a policy decision based on the outcome.

An Identity Cloud policy calls the script as part of an environment condition. For more information, refer to scripted policy conditions.

For a sample script, refer to policy-condition.js.

Social identity provider profile transformation

Adapt the profile from the provider to align with the profile expected by the platform.

An authentication journey calls the script through a Social Provider Handler node.

For a sample script, refer to normalized-profile-to-managed-user.js.

Copyright © 2010-2023 ForgeRock, all rights reserved.