Access Management

Token exchange scripting API

The following properties are available when creating a OAuth2 May Act Script:

clientProperties

A map of properties configured in the relevant client profile. Only present if the client was correctly identified.

The keys in the map are as follows:

clientId

The URI of the client.

allowedGrantTypes

The list of the allowed grant types (org.forgerock.oauth2.core.GrantType) for the client.

allowedResponseTypes

The list of the allowed response types for the client.

allowedScopes

The list of the allowed scopes for the client.

customProperties

A map of any custom properties added to the client.

Lists or maps are included as sub-maps. For example, a custom property of customMap[Key1]=Value1 is returned as customMap > Key1 > Value1.

To add custom properties to a client, go to OAuth 2.0 > Clients > Client ID > Advanced, and then update the Custom Properties field.

identity

Contains a representation of the identity of the resource owner.

For more details, see the com.sun.identity.idm.AMIdentity class in the ForgeRock Access Management Javadoc.

logger

Write information to the AM debug logs.

Created log files have a prefix of scripts.OAUTH2_ACCESS_TOKEN_MODIFICATION.

For more information, see Debug logging.

requestProperties

A map of the properties present in the request. Always present.

The keys in the map are as follows:

requestUri

The URI of the request.

realm

The realm to which the request was made.

requestParams

The request parameters, and/or posted data. Each value in this map is a list of one, or more, properties.

To mitigate the risk of reflection-type attacks, use OWASP best practices when handling these properties. For example, see Unsafe use of Reflection.
scopes

Contains a set of the requested scopes. For example:

[
  "read",
  "transfer",
  "download"
]
scriptName

The display name of the script. Always present.

session

Contains a representation of the user’s session object if the request contained a session cookie.

For more details, see the com.iplanet.sso.SSOToken class in the ForgeRock Access Management Javadoc.

token

Contains a representation of the token to be updated. As a mutable object, any changes made are reflected in the resulting token.

Use the token.setMayAct(JsonValue value) method when performing token exchange. This adds the may_act claim to a token. See Configure a new may act script.

For more details, see the ExchangeableToken interface in the ForgeRock Access Management Javadoc.