PingAM

Customize dynamic client registration

You can configure AM to run a script after it has processed a dynamic client registration request. This scripted extension point lets you perform custom actions to modify the client profile, for example, by updating client attributes or manipulating PingIDM data to create client relationships.

The script is called after the following dynamic client registration operations:

Create a script

AM includes a sample script that updates client attributes with values from the request.

You can use this as a template to create your own custom script.

  1. In the AM admin UI, create a script with the Script Type set to OAuth2 Dynamic Client Registration.

  2. Write your own or copy the sample script into the Script field.

    A dynamic client registration script is a next-generation script. You have access to all common next-generation bindings, such as openidm, httpClient, and utils, to help you modify the client profile.

    Learn about the bindings you can use in the Dynamic client registration scripting API.

  3. Save your changes.

Configure OAuth 2.0 provider to use the script

After creating your script, you must configure AM to use it.

  1. In the AM admin UI, go to Realms > realm name > Services > OAuth2 Provider > Client Dynamic Registration to configure a specific OAuth 2.0 provider.

    To set your script as the default for all new OAuth 2.0 providers, go to Configure > Global Services > OAuth2 Provider > Client Dynamic Registration.

  2. Set Dynamic Client Registration Script to the script name you want to use.

  3. Save your changes.

Test your changes

  1. Perform a request to register, update, or delete a client profile dynamically.

  2. The provider runs the script after the operation completes successfully.

    The script isn’t invoked if the operation fails.

  3. Verify that the script makes the changes as expected.

    For the sample script, check for the following modifications depending on the type of request:

    CREATE operation

    The script makes the following changes:

    • Sets the client attribute com.forgerock.openam.oauth2provider.grantTypes to authorization_code and the grant type for the request

    • Sets the client type to Public

    • Sets the client scopes to read and write

    UPDATE operation

    The script adds the software statement’s redirect_uris property to the client attribute com.forgerock.openam.oauth2provider.redirectionURIs.

    DELETE operation

    The script makes no changes.

You can find the property names used to update client attributes, such as com.forgerock.openam.oauth2provider.grantTypes by querying the /realm-config/agents/OAuth2Client endpoint.

For backward compatibility, PingDS property names are also accepted.