Scripting environment
AM supports server-side scripts written in either JavaScript or Groovy. Scripts used for client-side authentication must be written in JavaScript.
To access the functionality AM provides, import the required Java class or package, as follows:
-
JavaScript
-
Groovy
var fr = JavaImporter(
org.forgerock.openam.auth.node.api.Action,
javax.security.auth.callback.NameCallback
);
// Now use fr.Action, fr.NameCallback, and so on.import org.forgerock.openam.auth.node.api.*;
import javax.security.auth.callback.NameCallback;You may need to allowlist the classes you use in scripts. Refer to Security.
You can use scripts to modify default AM behavior in the following situations, also known as contexts:
- Client-side authentication
-
Scripts that are executed on the client during authentication.
Client-side scripts must be in JavaScript.
- Server-side authentication
-
Scripts are included in an authentication module within a chain and are executed on the server during authentication.
- Authentication trees
-
Scripts are included in an authentication node within a tree and are executed on the server during authentication.
- Policy conditions
-
Scripts used as conditions within policies.
- OIDC claims
-
Scripts that gather and populate the claims in a request when issuing an ID token or making a request to the
userinfoendpoint. - OAuth 2.0 access tokens
-
Scripts that modify the key-value pairs contained within access tokens before they are issued to a client.
Scripting engine
AM implements a configurable scripting engine for each of the context types that are executed on the server.
AM uses the following libraries:
-
Mozilla Rhino version 1.7.14 to run JavaScript.
Rhino has limited support for ES6 / ES2015 (JavaScript version 1.7). For more information, refer to Rhino ES2015 Support.
-
Groovy version 3.0.10 to support scripting in Groovy
The scripting engines in AM have two main components: security settings and the thread pool.
