PingOne Advanced Identity Cloud

Customize OAuth2.0 using JavaScript extensions

PingOne Advanced Identity Cloud lets you script extensions in JavaScript to customize OAuth 2.0 authorization server functionality, such as modifying access tokens or customizing how PingOne Advanced Identity Cloud processes scopes.

Supported extensions

The following table describes the extensible features of an PingOne Advanced Identity Cloud OAuth 2.0 authorization server.

Feature Extension options Samples

Modify the OAuth 2.0 access token before the token is persisted or returned to the client.

Return additional data from an authorization request.

Evaluate and return an OAuth 2.0 access token’s scope information.

Customize the requested scopes for authorization, access token, refresh token, and backchannel authorization requests.

Fetch the resource owner’s information based on an issued access token.

Use extensions

The PingOne Advanced Identity Cloud scripting environment runs scripts that you create and manage using the Advanced Identity Cloud admin UI.

After creating a script, configure the OAuth 2.0 provider service to use it.

Access token modification
  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Plugins.

  2. Select your script in the Access Token Modification Script drop-down.

Authorize endpoint data provider
  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Plugins.

  2. Select SCRIPTED in the Authorize Endpoint Data Provider Plugin Type drop-down.

  3. Select your script in the Authorize Endpoint Data Provider Script drop-down.

Scope evaluator
  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Plugins.

  2. Select SCRIPTED in the Scope Evaluation Plugin Type drop-down.

  3. Select your script in the Scope Evaluation Provider Script drop-down.

Scope validator
  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Plugins.

  2. Select SCRIPTED in the Scope Validation Plugin Type drop-down.

  3. Select your script in the Scope Validation Provider Script drop-down.

User info claims
  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Plugins.

  2. Select your script in the OIDC Claims Script drop-down.

For reference information, refer to OAuth2 provider plugins.

It is also possible to configure extensions in client profiles. Under Native Consoles > Access Management, go to Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID > OAuth2 Provider Overrides.

Common OAuth 2.0 extension bindings

An extension script has access to bindings, objects that PingOne Advanced Identity Cloud injects into the script execution context.

Some extension scripts have access to the following bindings. For additional bindings, refer to the comments in the sample scripts.

Binding Information

accessToken

The OAuth 2.0 access token.

For details, refer to AccessToken.

httpClient

An HTTP client for making external HTTP requests. Always present in all extension scripts.

identity

An identity PingOne Advanced Identity Cloud can access.

For details, refer to AMIdentity.

logger

Write a message to the PingOne Advanced Identity Cloud debug log. Always present in all extension scripts.

In Advanced Identity Cloud, this corresponds to the am-core log source.

Logger names use the format: scripts.<context>.<script UUID>.(<script name>); for example, `scripts.OIDC_CLAIMS.36863ffb-40ec-48b9-94b1-9a99f71cc3b5.(OIDC Claims Script).

For information about debug logs, refer to Get audit and debug logs.

scriptName

The display name of the script. Always present in all extension scripts.

session

The user’s session object.

For details, refer to SSOToken.