Identity Cloud provides the following scriptable extension points. Each extension point is associated with a script type, or a context.
Extend authorization server behavior with the OAuth 2.0 scripts.
Modify the key-value pairs contained within an OAuth 2.0 access token.
Return additional data from an authorization request.
may_actclaim for delegation or impersonation when performing token exchange.
Populate claims in a request when issuing an ID token or making a request to the OpenID Connect
Evaluate and return an OAuth 2.0 access token’s scope information.
Customize the set of requested scopes for authorize, access token, refresh token, and back channel authorize requests.
Customize your SAML 2.0 single sign-on implementation:
Alter the processing of the authentication request during a SAML 2.0 journey, such as to redirect the user before single sign-on takes place or before a failure response is sent.
Map user-configured attributes to SAML 2.0 attribute objects to insert into the generated SAML 2.0 assertion.
This extension point lets you write a script to determine the path of an authentication journey. The script provides bindings for accessing data in request headers, shared state, and user session data. This data helps to provide the context for you to decide the possible paths a user could take.
An authentication journey calls the script through a Scripted Decision node.
For more information, refer to the Scripted decision node API.
Use this scriptable extension point to tailor the actions that Identity Cloud takes as part of policy evaluation. The script lets you access a user’s profile information, use that information in HTTP calls, and make a policy decision based on the outcome.
An Identity Cloud policy calls the script as part of an environment condition. For more information, refer to scripted policy conditions.
For a sample script, refer to policy-condition.js.