Authenticate script

An authenticate script is required if you want to use pass-through authentication to the backend resource. If your connector does not need to authenticate to the resource, the authenticate script should allow the authId to pass through by default.

A sample authenticate script for an SQL database is provided in openidm/samples/scripted-sql-with-mysql/tools/AuthenticateScript.groovy.

The following connectors support pass-through authentication using the AuthenticateOp interface by default:

All Scripted Groovy-based connectors are capable of pass-through authentication if the AuthenticateScript.groovy script is implemented, but the only default implementation is the ScriptedSQL connector.
Input variables

The following variables are available to the authenticate script:


A handler to the connector’s configuration object.


A handler to the Operation Options.


An OperationType that corresponds to the action (AUTHENTICATE).


The object class being used to authenticate, such as __ACCOUNT__ or __GROUP__.


A string that provides the username to authenticate.


A guarded string that provides the password with which to authenticate.


A logger instance for the connector.


The user unique ID (ICF __UID__). The type of the returned UID must be a string or a Uid. The script must throw an exception in the case of failure.

Authenticate Script
def operation = operation as OperationType
def configuration = configuration as ScriptedConfiguration
def username = username as String
def log = log as Log
def objectClass = objectClass as ObjectClass
def options = options as OperationOptions
def password = password as GuardedString;

if (username.equals("TEST")) {
    def clearPassword = SecurityUtil.decrypt(password)
    if ("Passw0rd".equals(clearPassword)) {
        return new Uid(username);
Copyright © 2010-2024 ForgeRock, all rights reserved.