---
title: Customize OAuth 2.0 using JavaScript extensions
description: Advanced Identity Cloud lets you script extensions in JavaScript to customize OAuth 2.0 authorization server functionality, such as modifying access tokens or customizing how Advanced Identity Cloud processes scopes.
component: pingoneaic
page_id: pingoneaic:am-oauth2:plugins-customize
canonical_url: https://docs.pingidentity.com/pingoneaic/am-oauth2/plugins-customize.html
keywords: ["OAuth 2.0", "Customization", "Federation", "Scripting"]
page_aliases: ["oauth2-guide:plugins-customize.adoc"]
section_ids:
  supported_extensions: Supported extensions
  use-custom-oauth2-plugin: Configure the OAuth 2.0 provider to use extensions
  override-oauth2-provider-settings: Override OAuth 2.0 provider extension settings
---

# Customize OAuth 2.0 using JavaScript extensions

Advanced Identity Cloud lets you script extensions in JavaScript to customize OAuth 2.0 authorization server functionality, such as modifying access tokens or customizing how Advanced Identity Cloud processes scopes.

## Supported extensions

You can create scripts for each of the supported extension points [using the Advanced Identity Cloud admin console](../developer-docs/scripting-auth.html). The scripts have access to [bindings](../am-scripting/oauth2-scripting-api.html) to help you write your customization.

The following table describes the extensible features of an Advanced Identity Cloud OAuth 2.0 authorization server.

| Feature                                                                      | Extension options                                                                                                      | Samples                                                                                                          |
| ---------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
| [Access tokens](plugins-access-token-modifier.html)                          | Modify the OAuth 2.0 access token before the token is persisted or returned to the client.                             | [oauth2-access-token-modification.js](../_attachments/scripts/oauth2-access-token-modification.js)               |
| [Authorize endpoint data provider](plugins-auth-endpoint-data-provider.html) | Return additional data from an authorization request.                                                                  | [oauth2-authorize-endpoint-data-provider.js](../_attachments/scripts/oauth2-authorize-endpoint-data-provider.js) |
| [Scope evaluation](plugins-scope-evaluator.html)                             | Evaluate and return an OAuth 2.0 access token's scope information.                                                     | [oauth2-evaluate-scope.js](../_attachments/scripts/oauth2-evaluate-scope.js)                                     |
| [Scope validation](plugins-scope-validator.html)                             | Customize the requested scopes for authorization, access token, refresh token, and backchannel authorization requests. | [oauth2-validate-scope.js](../_attachments/scripts/oauth2-validate-scope.js)                                     |
| [OIDC claims](plugins-user-info-claims.html)                                 | Fetch the resource owner's information based on an issued access token.                                                | [oidc-claims-extension.js](../_attachments/scripts/oidc-claims-extension.js)                                     |

## Configure the OAuth 2.0 provider to use extensions

After creating a script, configure the OAuth 2.0 provider service to use it:

1. Under Native Consoles > Access Management, go to Realms > *Realm Name* > Services > *OAuth2 Provider* > Plugins.

2. []()For your extension, set the extension type to `SCRIPTED` and select your script from the appropriate list:

   | Extension                        | Extension type setting                       | Script list setting                     |
   | -------------------------------- | -------------------------------------------- | --------------------------------------- |
   | Access token modification        | Access Token Modification Plugin Type        | Access Token Modification Script        |
   | Authorize endpoint data provider | Authorize Endpoint Data Provider Plugin Type | Authorize Endpoint Data Provider Script |
   | Scope evaluator                  | Scope Evaluation Plugin Type                 | Scope Evaluation Provider Script        |
   | Scope validator                  | Scope Validation Plugin Type                 | Scope Validation Provider Script        |
   | User info claims                 | OIDC Claims Plugin Type                      | OIDC Claims Script                      |

Learn more about the provider settings in [OAuth2 provider plugins](../am-reference/services-configuration.html#realm-oauth-oidc-plugins).

## Override OAuth 2.0 provider extension settings

You can also configure extensions in client profiles that override the settings in the OAuth 2.0 provider.

1. Under Native Consoles > Access Management, go to Realms > *Realm Name* > Applications > OAuth 2.0 > Clients > *Client ID* > OAuth2 Provider Overrides.

2. Select Enable OAuth2 Provider Overrides.

3. Configure the client overrides in the same way as [the provider](#extension-settings). Set the extension type to `SCRIPTED` and select your script from the appropriate list.