--- title: Interactive callbacks description: Nodes return the following callbacks to request information. component: pingoneaic page_id: pingoneaic:am-authentication:callbacks-interactive canonical_url: https://docs.pingidentity.com/pingoneaic/am-authentication/callbacks-interactive.html keywords: ["Authentication", "Callbacks", "Setup & Configuration"] page_aliases: ["authentication-guide:authn-interactive-callbacks.adoc", "authn-interactive-callbacks.adoc"] section_ids: BooleanAttributeInputCallback: BooleanAttributeInputCallback ChoiceCallback: ChoiceCallback ConfirmationCallback: ConfirmationCallback ConsentMappingCallback: ConsentMappingCallback DeviceBindingCallback: DeviceBindingCallback DeviceProfileCallback: DeviceProfileCallback DeviceSigningVerifierCallback: DeviceSigningVerifierCallback hiddenvaluecallback: HiddenValueCallback IdPCallback: IdPCallback KbaCreateCallback: KbaCreateCallback NameCallback: NameCallback NumberAttributeInputCallback: NumberAttributeInputCallback PasswordCallback: PasswordCallback PingOneProtectEvaluationCallback: PingOneProtectEvaluationCallback PingOneProtectInitializeCallback: PingOneProtectInitializeCallback SelectIdPCallback: SelectIdPCallback StringAttributeInputCallback: StringAttributeInputCallback TermsAndConditionsCallback: TermsAndConditionsCallback TextInputCallback: TextInputCallback ValidatedCreatePasswordCallback: ValidatedCreatePasswordCallback ValidatedCreateUsernameCallback: ValidatedCreateUsernameCallback --- # Interactive callbacks Nodes return the following callbacks to request information. ## BooleanAttributeInputCallback Collects a boolean-style confirmation, such as yes/no or true/false. The [Attribute Collector node](https://docs.pingidentity.com/auth-node-ref/latest/attribute-collector.html) uses this instead of a [ConfirmationCallback](#ConfirmationCallback) to apply IDM policies and validate the response. | Callback output field | Description | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `failedPolicies` | An array of JSON objects describing validation policies that the input failed. The object is empty until the input is provided and validation fails. | | `name` | A string containing the name of the attribute in the user profile. | | `policies` | An array of JSON objects describing IDM validation policies the input must pass. An empty JSON object if the node does not require validation. | | `prompt` | A string containing the description of the information required from the user. | | `required` | A boolean indicating whether input is required for this attribute. | | `validateOnly` | When the node requires validation, this boolean indicates whether to apply validation policies only, or to validate the input and continue to the next node. When `true`, the node only performs input validation and does not continue to the next node.When `true`, this lets the UI validate input as the user types instead of validating the input once and continuing the journey to the next node. | | `value` | A string containing a default value for the attribute, if required. | Example ```json { "callbacks": [{ "type": "BooleanAttributeInputCallback", "output": [{ "name": "name", "value": "preferences/marketing" }, { "name": "prompt", "value": "Send me special offers and services" }, { "name": "required", "value": true }, { "name": "policies", "value": {} }, { "name": "failedPolicies", "value": [] }, { "name": "validateOnly", "value": false }, { "name": "value", "value": false }], "input": [{ "name": "IDToken1", "value": false }, { "name": "IDToken1validateOnly", "value": false }] }] } ``` In the input, return the value and a boolean to set `validateOnly`. Class to import in scripts: `org.forgerock.openam.authentication.callbacks.BooleanAttributeInputCallback` Learn more in [BooleanAttributeInputCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/BooleanAttributeInputCallback.html). ## ChoiceCallback Provides a list of choices and collects the selected choice. In the input, return `0` if the user selected the first choice, `1` for the second choice, and so forth. Example ```json { "callbacks": [{ "type": "ChoiceCallback", "output": [{ "name": "prompt", "value": "Choose one" }, { "name": "choices", "value": ["Choice A", "Choice B", "Choice C"] }, { "name": "defaultChoice", "value": 2 }], "input": [{ "name": "IDToken1", "value": 0 }] }] } ``` Class to import in scripts: `javax.security.auth.callback.ChoiceCallback` Learn more in [ChoiceCallback](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/callback/ChoiceCallback.html). ## ConfirmationCallback Collects a boolean-style confirmation, such as yes/no or true/false with an optional "Cancel" choice. | Callback output field | Description | | --------------------- | ----------------------------------------------------------------------------------------------------------------------- | | `defaultOption` | A number identifying the default option in the array of `options`, counting from `0`. | | `messageType` | A number indicating the severity of the message:- `0`: Information - `1`: Warning - `2`: Error | | `optionType` | A number indicating the type of confirmation:- `-1`: Unspecified - `0`: Yes/no - `1`: Yes/no/cancel - `2`: OK/cancel | | `options` | An array of strings containing the option text for display to the user. | | `prompt` | A string containing the description of the choice to display to the user. | Example ```json { "callbacks": [{ "type": "ConfirmationCallback", "output": [{ "name": "prompt", "value": "" }, { "name": "messageType", "value": 0 }, { "name": "options", "value": ["Submit", "Start Over", "Cancel"] }, { "name": "optionType", "value": -1 }, { "name": "defaultOption", "value": 1 }], "input": [{ "name": "IDToken1", "value": 0 }] }] } ``` In the input, return `0` if the user selected the first choice, `1` for the second choice, and so forth. Class to import in scripts: `javax.security.auth.callback.ConfirmationCallback` Learn more in [ConfirmationCallback](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/callback/ConfirmationCallback.html). ## ConsentMappingCallback Provides profile attributes that require user consent and collects consent from the user. | Callback output field | Description | | --------------------- | ----------------------------------------------------------------------------- | | `accessLevel` | A string containing the access level description for display to the user. | | `displayName` | A string containing the name for display to the user. | | `fields` | An array containing names of the attributes to share. | | `icon` | A string containing an icon specification for the privacy and consent notice. | | `isRequired` | A boolean indicating whether consent is required. | | `message` | A string containing the privacy and consent notice for display to the user. | | `name` | A string containing the name of the mapping. | Example ```json { "callbacks": [{ "type": "ConsentMappingCallback", "output": [{ "name": "name", "value": "managedUser_managedUser" }, { "name": "displayName", "value": "Test Mapping" }, { "name": "icon", "value": "" }, { "name": "accessLevel", "value": "Actual Profile" }, { "name": "isRequired", "value": true }, { "name": "message", "value": "You consent to your data being shared with external services." }, { "name": "fields", "value": [] }], "input": [{ "name": "IDToken1", "value": false }] }] } ``` The user must give consent to all attributes or to none; in the input, return a single boolean value. Class to import in scripts: `org.forgerock.openam.authentication.callbacks.ConsentMappingCallback` Learn more in [ConsentMappingCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/ConsentMappingCallback.html). ## DeviceBindingCallback Binds a client device to a user. | Callback output field | Description | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `userId` | The ID of the user to bind the device to. | | `username` | The username of the user to bind the device to. | | `authenticationType` | Specifies how the client secures access to the private key. Available options are:- `BIOMETRIC` Request that the client secures access to the cryptography keys with biometric security, such as a fingerprint. - `BIOMETRIC_ALLOW_FALLBACK` Request that the client secures access to the cryptography keys with biometric security, such as a fingerprint, but allow use of the device PIN if biometric is unavailable. - `APPLICATION_PIN` Request that the client secures access to the cryptography keys with an application-specific PIN. - `NONE` Request that the client generates a key pair, but does not secure access to them. | | `challenge` | A string containing the challenge the client should sign with the private key and return for validation. | | `title` | A string containing an optional title to display when requesting biometric authentication to secure access to the key pair. | | `subtitle` | A string containing an optional subtitle to display when requesting biometric authentication to secure access to the key pair. | | `description` | A string containing optional descriptive text to display when requesting biometric authentication to secure access to the key pair. | | `timeout` | An integer specifying the number of seconds to wait for device binding to complete before reporting a timeout error. | Example response data ```json { "authId": "...", "callbacks": [ { "type": "DeviceBindingCallback", "output": [ { "name": "userId", "value": "id=bjensen,ou=user,dc=am,dc=example,dc=com" }, { "name": "username", "value": "bjensen" }, { "name": "authenticationType", "value": "BIOMETRIC_ALLOW_FALLBACK" }, { "name": "challenge", "value": "6IBkTEPcMQ0xCghIclmDLost2ssGO5cPDs0AjUhmDTo=" }, { "name": "title", "value": "Authentication required" }, { "name": "subtitle", "value": "Cryptography device binding" }, { "name": "description", "value": "Please authenticate with biometrics to proceed" }, { "name": "timeout", "value": 60 } ], "input": [ { "name": "IDToken1jws", "value": "" }, { "name": "IDToken1deviceName", "value": "" }, { "name": "IDToken1deviceId", "value": "" }, { "name": "IDToken1clientError", "value": "" } ] } ] } ``` The client device should perform the following high-level steps to fulfil this callback: 1. Generate a key pair and secure access to it as defined by the `authenticationType` field. 2. Generate a JSON web token (JWT) that has the ID of the user in the subject (`sub`) field and the original value of the `challenge`. For example: ``` { "sub": "id=bjensen,ou=user,dc=am,dc=example,dc=com", "challenge": "6IBkTEPcMQ0xCghIclmDLost2ssGO5cPDs0AjUhmDTo=" } ``` 3. Sign the JWT using the RS512 algorithm to create a JSON Web Signature (JWS). 4. Complete the callback, returning the JWS, the key ID (`KID`) of the key pair, the public key, and the name and the unique ID of the device. The server verifies the returned information and persists it in the user's profile if correct. Example response data ```json { "authId": "...", "callbacks": [ { "type": "DeviceBindingCallback", "output": [...], "input": [ { "name": "IDToken1jws", "value": "eyJhbGciOiJIUzI1NiI....JV_adQssw5cB6aDS6m_kwIiw" }, { "name": "IDToken1deviceName", "value": "Example Brand Version Android Device" }, { "name": "IDToken1deviceId", "value": "ae9573dbbf442e7f-8e0c8b428409e0f1c" }, { "name": "IDToken1clientError", "value": "" } ] } ] } ``` Class to import in scripts: `org.forgerock.openam.authentication.callbacks.DeviceBindingCallback` Learn more in [DeviceBindingCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/DeviceBindingCallback.html). ## DeviceProfileCallback Collects information about the device used to authenticate. | Callback output field | Description | | --------------------- | --------------------------------------------------------------------------------- | | `metadata` | A boolean indicating whether to collect device metadata. | | `location` | A boolean indicating whether to collect the device location. | | `message` | A string containing optional text to display while collecting device information. | Example ```json { "callbacks": [{ "type": "DeviceProfileCallback", "output": [{ "name": "metadata", "value": true }, { "name": "location", "value": true }, { "name": "message", "value": "Collecting....." }], "input": [{ "name": "IDToken1", "value": "" }] }] } ``` In the input, return escaped JSON resembling the following example response data. Example response data ```json { "identifier": "aec3fe784...o3Xjiizyb9=", "alias": "Pixel 3 XL", "metadata": { "platform": { "platform": "Android", "version": 28, "device": "generic_x86_arm", "deviceName": "AOSP on IA Emulator", "model": "AOSP on IA Emulator", "brand": "google", "locale": "en_US", "timeZone": "America/Vancouver", "jailBreakScore": 1 }, "hardware": { "hardware": "ranchu", "manufacturer": "Google", "storage": 774, "memory": 1494, "cpu": 4, "display": { "width": 1440, "height": 2621, "orientation": 1 }, "camera": { "numberOfCameras": 2 } }, "browser": { "agent": "Dalvik/2.1.0 (Linux; U; Android 9; AOSP on IA Emulator Build/PSR1.180720.117)" }, "bluetooth": { "supported": false }, "network": { "connected": true }, "telephony": { "networkCountryIso": "us", "carrierName": "Android" } }, "location": { "latitude": 51.431534, "Longitude": -2.622353 } } ``` The `location` and `metadata` fields are required when their values are `true` in the output. The `alias` and `identifier` fields are optional and provided when the client uses the Ping SDKs. * `alias` A friendly name for the device often derived from the make and model. * `identifier` A unique identifier string that can be used to later match the device. * `location` Latitude and longitude of the device. * `metadata` Refer to the example response data for details. Class to import in scripts: `org.forgerock.openam.authentication.callbacks.DeviceProfileCallback` Learn more in [DeviceProfileCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/DeviceProfileCallback.html). ## DeviceSigningVerifierCallback Verifies the signature of data from a registered device. | Callback output field | Description | | --------------------- | ------------------------------------------------------------------------------------------------------------------------- | | `userId` | The ID of the user authenticating, if already determined by the authentication journey. | | `challenge` | A string containing the challenge the client should sign with the private key and return for validation. | | `title` | A string containing an optional title to display when requesting biometric authentication to access the key pair. | | `subtitle` | A string containing an optional subtitle to display when requesting biometric authentication to access the key pair. | | `description` | A string containing optional descriptive text to display when requesting biometric authentication to access the key pair. | | `timeout` | An integer specifying the number of seconds to wait for device signing to complete before reporting a timeout error. | Example response data ```json { "authId": "...", "callbacks": [ { "type": "DeviceSigningVerifierCallback", "output": [ { "name": "userId", "value": "" }, { "name": "challenge", "value": "Kc4dc14on98DYFzr5SoP2n3TC/JWAcAqTJMjCM+T27Y=" }, { "name": "title", "value": "Authentication required" }, { "name": "subtitle", "value": "Cryptography device binding" }, { "name": "description", "value": "Please complete with biometric to proceed" }, { "name": "timeout", "value": 60 } ], "input": [ { "name": "IDToken1jws", "value": "" }, { "name": "IDToken1clientError", "value": "" } ] } ] } ``` The client device should perform the following high-level steps to fulfill this callback: 1. Generate a JSON web token (JWT) that has the ID of the user in the subject (`sub`) field) and the original value of the `challenge`. For example: ``` { "sub": "id=bjensen,ou=user,dc=am,dc=example,dc=com", "challenge": "6IBkTEPcMQ0xCghIclmDLost2ssGO5cPDs0AjUhmDTo=" } ``` 2. Sign the JWT using the RS512 algorithm to create a JSON Web Signature (JWS). 3. Complete the callback, returning the JWS. The server verifies the signature against the stored public key. Example response data ```json { "authId": "...", "callbacks": [ { "type": "DeviceSigningVerifierCallback", "output": [...], "input": [ { "name": "IDToken1jws", "value": "eyJhbGciOiJIUzI1NiI....JV_adQssw5cB6aDS6m_kwIiw" }, { "name": "IDToken1clientError", "value": "" } ] } ] } ``` Class to import in scripts: `org.forgerock.openam.authentication.callbacks.DeviceSigningVerifierCallback` Learn more in [DeviceSigningVerifierCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/DeviceSigningVerifierCallback.html). ## HiddenValueCallback Provides form values that are to remain hidden from the user. Example ```json { "callbacks": [{ "type": "HiddenValueCallback", "output": [{ "name": "value", "value": "6186c911-b3be-4dbc-8192-bdf251392072" }, { "name": "id", "value": "jwt" }], "input": [{ "name": "IDToken1", "value": "jwt" }] }] } ``` Class to import in scripts: `com.sun.identity.authentication.callbacks.HiddenValueCallback` Learn more in [HiddenValueCallback](../_attachments/apidocs/com/sun/identity/authentication/callbacks/HiddenValueCallback.html). ## IdPCallback Collects the result of a native OAuth 2.0 or OIDC request to a social identity provider. The [Social Provider Handler node](https://docs.pingidentity.com/auth-node-ref/latest/social-provider-handler.html) returns this callback when its Client Type is set to `NATIVE`. The output provides the information required to perform the request. Clients built using the Ping SDKs for Android or iOS use this to authenticate to the social identity provider with the mobile OS native APIs. | Callback output field | Description | | --------------------- | ------------------------------------------------------------------------------------------------------------------------- | | `acrValues` | An array containing the Authentication Context Class Reference values for the native authentication request. | | `clientId` | A string containing the identifier for the native authentication request. | | `nonce` | A string containing the nonce for the native authentication request. | | `provider` | A string containing a name for the provider. | | `redirectUri` | A string containing the redirection URI for the native authentication request. | | `request` | A string containing the Request Object for the native authentication request. | | `requestUri` | A string containing a URL that references a resource containing the Request Object for the native authentication request. | | `scopes` | An array containing the scopes for the native authentication request. | Example ```json { "callbacks": [{ "type": "IdPCallback", "output": [{ "name": "provider", "value": "amazon" }, { "name": "clientId", "value": "amzn1.application-oa2-client.f0c11aa1f8504f8da26a346ccc55a39e" }, { "name": "redirectUri", "value": "https://localhost:8443/am" }, { "name": "scopes", "value": ["profile"] }, { "name": "nonce", "value": "" }, { "name": "acrValues", "value": [] }, { "name": "request", "value": "" }, { "name": "requestUri", "value": "" }], "input": [{ "name": "IDToken1token", "value": "" }, { "name": "IDToken1token_type", "value": "" }] }] } ``` In the input, return a JWT `id_token`, `access_token` or authorization code for the token, and `id_token`, `access_token` or `authorization_code` for the token type. Class to import in scripts: `org.forgerock.openam.authentication.callbacks.IdPCallback` Learn more in [IdPCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/IdPCallback.html). ## KbaCreateCallback Collects knowledge-based authentication (KBA) answers to questions defined in the user profile, or user-defined question and answer pairs. Example ```json { "callbacks": [{ "type": "KbaCreateCallback", "output": [{ "name": "prompt", "value": "Select a security question" }, { "name": "predefinedQuestions", "value": ["What's your favorite color?"] }], "input": [{ "name": "IDToken1question", "value": "" }, { "name": "IDToken1answer", "value": "" }] }] } ``` In the input, return an empty `IDTokenNumberquestion` value when `IDTokenNumberanswer` corresponds to `predefinedQuestions[Number]`. For user-provided questions, return both. Class to import in scripts: `org.forgerock.openam.authentication.callbacks.KbaCreateCallback` Learn more in [KbaCreateCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/KbaCreateCallback.html). ## NameCallback Collects a string entered by the user, such as a username. Example ```json { "callbacks": [{ "type": "NameCallback", "output": [{ "name": "prompt", "value": "User Name" }], "input": [{ "name": "IDToken1", "value": "" }] }] } ``` Class to import in scripts: `javax.security.auth.callback.NameCallback` Learn more in [NameCallback](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/callback/NameCallback.html). ## NumberAttributeInputCallback Collects a numeric attribute, such as size or age. The [Attribute Collector node](https://docs.pingidentity.com/auth-node-ref/latest/attribute-collector.html) uses this to apply IDM policies and validate the response. | Callback output field | Description | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `failedPolicies` | An array of JSON objects describing validation policies that the input failed. The object is empty until the input is provided and validation fails. | | `name` | A string containing the name of the attribute in the user profile. | | `policies` | An array of JSON objects describing IDM validation policies the input must pass. An empty JSON object if the node does not require validation. | | `prompt` | A string containing the description of the information required from the user. | | `required` | A boolean indicating whether input is required for this attribute. | | `validateOnly` | When the node requires validation, this boolean indicates whether to apply validation policies only, or to validate the input and continue to the next node. When `true`, the node only performs input validation and does not continue to the next node.When `true`, this lets the UI validate input as the user types instead of validating the input once and continuing the journey to the next node. | | `value` | A string containing a default value for the attribute, if required. | In the input, return the value and a boolean to set `validateOnly`. Class to import in scripts: `org.forgerock.openam.authentication.callbacks.NumberAttributeInputCallback` Learn more in [NumberAttributeInputCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/NumberAttributeInputCallback.html). ## PasswordCallback Collects a password value. Example ```json { "callbacks": [{ "type": "PasswordCallback", "output": [{ "name": "prompt", "value": "Password" }], "input": [{ "name": "IDToken1", "value": "" }] }] } ``` Class to import in scripts: `javax.security.auth.callback.PasswordCallback` Learn more in [PasswordCallback](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/callback/PasswordCallback.html). ## PingOneProtectEvaluationCallback Instructs the client to return the data captured by the [PingOne Signals (Protect) SDK](https://docs.pingidentity.com/pingone/threat_protection_using_pingone_protect/p1_protect_signals_sdk.html) so that a risk evaluation can be completed. | Callback output field | Description | | --------------------- | -------------------------------------------------------------------------------------------------- | | `pauseBehavioralData` | A boolean indicating whether to stop collecting behavioral data after returning the existing data. | Example ```json { "callbacks":[ { "type":"PingOneProtectEvaluationCallback", "output":[ { "name":"pauseBehavioralData", "value":true } ], "input":[ { "name":"IDToken1signals", "value":"" }, { "name":"IDToken1clientError", "value":"" } ] } ] } ``` In the input: * In `IDToken1signals`, return the data captured by the PingOne Signals SDK. * In `IDToken1clientError`, return an empty string to signal success, or an error string to indicate that the client was unable to process the request. - Class to import `org.forgerock.openam.authentication.callbacks.PingOneProtectEvaluationCallback` Learn more in [PingOneProtectEvaluationCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/PingOneProtectEvaluationCallback.html). ## PingOneProtectInitializeCallback Instructs the client to initialize the [PingOne Signals (Protect) SDK](https://docs.pingidentity.com/pingone/threat_protection_using_pingone_protect/p1_protect_signals_sdk.html) to gather information during a transaction. | Callback output field | Description | | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | `envId` | A string containing the PingOne environment ID. | | `consoleLogEnabled` | A boolean indicating whether to output SDK log messages to the developer console. | | `deviceAttributesToIgnore` | An array of device attributes to ignore when collecting device signals. | | `customHost` | A string containing a custom host URL from which to retrieve a "Pong" token.Not currently used. | | `lazyMetadata` | A boolean indicating whether to calculate metadata on demand.When `false`, metadata is calculated automatically after initialization. | | `behavioralDataCollection` | A boolean indicating whether to collect behavioral data. | | `disableHub` | A boolean indicating whether the client stores device data in the browser's localStorage only.When `false`, the client uses an iframe if supported. | | `deviceKeyRsyncIntervals` | An integer indicating the number of days that device attestation can rely upon the device fallback key. | | `enableTrust` | A boolean indicating whether to tie the device payload to a non-extractable crypto key stored in the browser for content authenticity verification. | | `disableTags` | A boolean indicating whether to collect tag data. | Example ```json { "type":"PingOneProtectInitializeCallback", "output":[ { "name":"envId", "value":"3072206d-c6ce-4c19-a366-f87e972c7cc3" }, { "name":"consoleLogEnabled", "value":false }, { "name":"deviceAttributesToIgnore", "value":[ "field1", "field2" ] }, { "name":"customHost", "value":"" }, { "name":"lazyMetadata", "value":false }, { "name":"behavioralDataCollection", "value":true }, { "name":"deviceKeyRsyncIntervals", "value":14 }, { "name":"enableTrust", "value":false }, { "name":"disableTags", "value":false }, { "name":"disableHub", "value":false } ], "input":[ { "name":"IDToken1clientError", "value":"" } ] } ``` In the input `IDToken1clientError` field, return an empty string to signal success, or define any error string to indicate initialization of the SDK failed. * Class to import `org.forgerock.openam.authentication.callbacks.PingOneProtectInitializeCallback` Learn more in [PingOneProtectInitializeCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/PingOneProtectInitializeCallback.html). ## SelectIdPCallback Collects a choice of an enabled social identity provider or local authentication. The [Select Identity Provider node](https://docs.pingidentity.com/auth-node-ref/latest/select-identity-provider.html) returns this callback when multiple social identity providers are enabled, or when Local Authentication is enabled alongside at least one provider. In the input, return the provider name, such as `amazon` or `localAuthentication`. Example ```json { "callbacks": [{ "type": "SelectIdPCallback", "output": [{ "name": "providers", "value": [{ "provider": "amazon", "uiConfig": { "buttonCustomStyle": "background: linear-gradient(to bottom, #f7e09f 15%,#f5c646 85%);color: black;border-color: #b48c24;", "buttonImage": "", "buttonClass": "fa-amazon", "buttonDisplayName": "Amazon", "buttonCustomStyleHover": "background: linear-gradient(to bottom, #f6c94e 15%,#f6c94e 85%);color: black;border-color: #b48c24;" } }, { "provider": "google", "uiConfig": { "buttonImage": "images/g-logo.png", "buttonCustomStyle": "background-color: #fff; color: #757575; border-color: #ddd;", "buttonClass": "", "buttonCustomStyleHover": "color: #6d6d6d; background-color: #eee; border-color: #ccc;", "buttonDisplayName": "Google" } }, { "provider": "localAuthentication" }] }, { "name": "value", "value": "" }], "input": [{ "name": "IDToken1", "value": "" }] }] } ``` Class to import in scripts: `org.forgerock.openam.authentication.callbacks.SelectIdPCallback` Learn more in [SelectIdPCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/SelectIdPCallback.html). ## StringAttributeInputCallback Collects string attributes, such as city names, telephone numbers, and postcodes. The [Attribute Collector node](https://docs.pingidentity.com/auth-node-ref/latest/attribute-collector.html) uses this instead of a [TextInputCallback](#TextInputCallback) to apply IDM policies and validate the response. | Callback output field | Description | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `failedPolicies` | An array of JSON objects describing validation policies that the input failed. The object is empty until the input is provided and validation fails. | | `name` | A string containing the name of the attribute in the user profile. | | `policies` | An array of JSON objects describing IDM validation policies the input must pass. An empty JSON object if the node does not require validation. | | `prompt` | A string containing the description of the information required from the user. | | `required` | A boolean indicating whether input is required for this attribute. | | `validateOnly` | When the node requires validation, this boolean indicates whether to apply validation policies only, or to validate the input and continue to the next node. When `true`, the node only performs input validation and does not continue to the next node.When `true`, this lets the UI validate input as the user types instead of validating the input once and continuing the journey to the next node. | | `value` | A string containing a default value for the attribute, if required. | Example ```json { "callbacks": [{ "type": "StringAttributeInputCallback", "output": [{ "name": "name", "value": "givenName" }, { "name": "prompt", "value": "First Name" }, { "name": "required", "value": true }, { "name": "policies", "value": { "policyRequirements": ["REQUIRED", "VALID_TYPE"], "fallbackPolicies": null, "name": "givenName", "policies": [{ "policyRequirements": ["REQUIRED"], "policyId": "required" }, { "policyRequirements": ["VALID_TYPE"], "policyId": "valid-type", "params": { "types": ["string"] } }], "conditionalPolicies": null } }, { "name": "failedPolicies", "value": [] }, { "name": "validateOnly", "value": false }, { "name": "value", "value": "" }], "input": [{ "name": "IDToken1", "value": "" }, { "name": "IDToken1validateOnly", "value": false }] }] } ``` When input validation is not required, the `policies` contain an empty object: ```json { "name": "policies", "value": {} } ``` In the input, return the value and a boolean to set `validateOnly`. Class to import in scripts: `org.forgerock.openam.authentication.callbacks.StringAttributeInputCallback` Learn more in [StringAttributeInputCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/StringAttributeInputCallback.html). ## TermsAndConditionsCallback Displays the current terms and conditions and collects the user's agreement to them. Example ```json { "callbacks": [ { "type": "TermsAndConditionsCallback", "output": [ { "name": "version", "value": "0.0" }, { "name": "terms", "value": "Terms and conditions text that you must agree to." }, { "name": "createDate", "value": "2022-10-28T04:20:11.320Z" } ], "input": [ { "name": "IDToken1", "value": false } ] } ] } ``` In the input, return `true` if the user agrees to the terms and conditions. Class to import in scripts: `org.forgerock.openam.authentication.callbacks.TermsAndConditionsCallback` Learn more in [TermsAndConditionsCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/TermsAndConditionsCallback.html). ## TextInputCallback Collects text input from the user. Example ```json { "callbacks": [{ "type": "TextInputCallback", "output": [{ "name": "prompt", "value": "Provide a nickname for this account" }], "input": [{ "name": "IDToken1", "value": "" }] }] } ``` Class to import in scripts: `javax.security.auth.callback.TextInputCallback` Learn more in [TextInputCallback](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/callback/TextInputCallback.html). ## ValidatedCreatePasswordCallback Collects a password value. The [Platform Password node](https://docs.pingidentity.com/auth-node-ref/latest/platform-password.html) uses this instead of a [PasswordCallback](#PasswordCallback) to apply IDM policies and validate the response. | Callback output field | Description | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `failedPolicies` | An array of JSON objects describing validation policies that the input failed. The object is empty until the input is provided and validation fails. | | `name` | A string containing the name of the attribute in the user profile. | | `policies` | An array of objects describing IDM validation policies the input must pass. An empty JSON object if the node does not require validation. | | `prompt` | A string containing the description of the information required from the user. | | `validateOnly` | When the node requires validation, this boolean indicates whether to apply validation policies only, or to validate the input and continue to the next node. When `true`, the node only performs input validation and does not continue to the next node.When `true`, this lets the UI validate input as the user types instead of validating the input once and continuing the journey to the next node. | Example ```json { "callbacks": [{ "type": "ValidatedCreatePasswordCallback", "output": [{ "name": "echoOn", "value": false }, { "name": "policies", "value": { "policyRequirements": ["VALID_TYPE", "MIN_LENGTH", "AT_LEAST_X_CAPITAL_LETTERS", "AT_LEAST_X_NUMBERS", "CANNOT_CONTAIN_OTHERS"], "fallbackPolicies": null, "name": "password", "policies": [{ "policyRequirements": ["VALID_TYPE"], "policyId": "valid-type", "params": { "types": ["string"] } }, { "policyId": "minimum-length", "params": { "minLength": 8 }, "policyRequirements": ["MIN_LENGTH"] }, { "policyId": "at-least-X-capitals", "params": { "numCaps": 1 }, "policyRequirements": ["AT_LEAST_X_CAPITAL_LETTERS"] }, { "policyId": "at-least-X-numbers", "params": { "numNums": 1 }, "policyRequirements": ["AT_LEAST_X_NUMBERS"] }, { "policyId": "cannot-contain-others", "params": { "disallowedFields": ["userName", "givenName", "sn"] }, "policyRequirements": ["CANNOT_CONTAIN_OTHERS"] }], "conditionalPolicies": null } }, { "name": "failedPolicies", "value": [] }, { "name": "validateOnly", "value": false }, { "name": "prompt", "value": "Password" }], "input": [{ "name": "IDToken1", "value": "" }, { "name": "IDToken1validateOnly", "value": false }] }] } ``` In the input, return the value and a boolean to set `validateOnly`. Class to import in scripts: `org.forgerock.openam.authentication.callbacks.ValidatedPasswordCallback` Learn more in [ValidatedPasswordCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/ValidatedPasswordCallback.html). ## ValidatedCreateUsernameCallback Collects a username. The [Platform Username node](https://docs.pingidentity.com/auth-node-ref/latest/platform-username.html) uses this instead of a [NameCallback](#NameCallback) to apply IDM policies and validate the response. | Callback output field | Description | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `failedPolicies` | An array of JSON objects describing validation policies that the input failed. The object is empty until the input is provided and validation fails. | | `name` | A string containing the name of the attribute in the user profile. | | `policies` | An array of objects describing IDM validation policies the input must pass. An empty JSON object if the node does not require validation. | | `prompt` | A string containing the description of the information required from the user. | | `validateOnly` | When the node requires validation, this boolean indicates whether to apply validation policies only, or to validate the input and continue to the next node. When `true`, the node only performs input validation and does not continue to the next node.When `true`, this lets the UI validate input as the user types instead of validating the input once and continuing the journey to the next node. | Example ```json { "callbacks": [{ "type": "ValidatedCreateUsernameCallback", "output": [{ "name": "policies", "value": { "policyRequirements": ["REQUIRED", "VALID_TYPE", "VALID_USERNAME", "CANNOT_CONTAIN_CHARACTERS", "MIN_LENGTH", "MAX_LENGTH"], "fallbackPolicies": null, "name": "userName", "policies": [{ "policyRequirements": ["REQUIRED"], "policyId": "required" }, { "policyRequirements": ["VALID_TYPE"], "policyId": "valid-type", "params": { "types": ["string"] } }, { "policyId": "valid-username", "policyRequirements": ["VALID_USERNAME"] }, { "policyId": "cannot-contain-characters", "params": { "forbiddenChars": ["/"] }, "policyRequirements": ["CANNOT_CONTAIN_CHARACTERS"] }, { "policyId": "minimum-length", "params": { "minLength": 1 }, "policyRequirements": ["MIN_LENGTH"] }, { "policyId": "maximum-length", "params": { "maxLength": 255 }, "policyRequirements": ["MAX_LENGTH"] }], "conditionalPolicies": null } }, { "name": "failedPolicies", "value": [] }, { "name": "validateOnly", "value": false }, { "name": "prompt", "value": "Username" }], "input": [{ "name": "IDToken1", "value": "" }, { "name": "IDToken1validateOnly", "value": false }] }] } ``` In the input, return the value and a boolean to set `validateOnly`. Class to import in scripts: `org.forgerock.openam.authentication.callbacks.ValidatedUsernameCallback` Learn more in [ValidatedUsernameCallback](../_attachments/apidocs/org/forgerock/openam/authentication/callbacks/ValidatedUsernameCallback.html).