PingOne Advanced Identity Cloud

Customize dynamic client registration

You can configure Advanced Identity Cloud to run a script after it has processed a dynamic client registration request. This scripted extension point lets you perform custom actions to modify the client profile, for example, by updating client attributes or manipulating user profile data to create client relationships.

Advanced Identity Cloud calls the script after the following dynamic client registration operations:

Create a script

Advanced Identity Cloud includes a sample script that updates client attributes with values from the request.

You can use this as a template to create your own custom script.

  1. Create a script with the Script Type set to OAuth2 Dynamic Client Registration.

  2. Write your own or copy the sample script into the Script field.

    A dynamic client registration script is a next-generation script. You have access to all common next-generation bindings such as openidm, httpClient, and utils, to help you modify the client profile.

    Learn about the bindings you can use in the Dynamic client registration scripting API.

  3. Save your changes.

Configure OAuth 2.0 provider to use the script

After creating your script, you must configure Advanced Identity Cloud to use it.

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Client Dynamic Registration to configure a specific OAuth 2.0 provider.

  2. Set Dynamic Client Registration Script to the name of the script you want to use.

  3. Save your changes.

Test your changes

  1. Perform a request to dynamically register, update, or delete a client profile.

  2. The provider runs the script after the operation completes successfully.

    The script isn’t invoked if the operation fails.

  3. Verify that the script makes the changes as expected.

    For the sample script, check for the following modifications depending on the type of request:

    CREATE operation

    The script sets the client attribute com.forgerock.openam.oauth2provider.grantTypes to authorization_code and the grant type for the request.

    UPDATE operation

    The script adds the software statement’s redirect_uris property to the client attribute com.forgerock.openam.oauth2provider.redirectionURIs.

    DELETE operation

    The script makes no changes.

    The property names used to update client attributes such as com.forgerock.openam.oauth2provider.grantTypes, don’t map to the property names found by querying the /realm-config/agents/OAuth2Client endpoint.

Dynamic client registration scripting API

The dynamic client registration script is a next-generation script and therefore has access to all the next-generation common bindings in addition to those described here.
Binding Description

requestProperties

A map of the properties in the request. Always present.

The keys in the map are as follows:

  • requestUri: The URI of the request.

  • realm: The realm to which the request was made.

  • requestParams: The request parameters, and/or posted data. Each value in this map is a list of one, or more, properties.

  • requestHeaders: A map of the request headers. Header names are case-sensitive.

  • requestBody: A map representing the body of the request.

    To mitigate the risk of reflection-type attacks, use OWASP best practices when handling these properties. Find more information in Unsafe use of Reflection.

operation

The dynamic client registration request operation as a String. Possible values: CREATE, UPDATE, DELETE.

clientIdentity

The ScriptedIdentity object that represents the created or updated client.

The identity object has the following methods:

  • public List<String> getAttributeValues(String attributeName)

  • public String getName()

  • public String getUniversalId()

  • public void addAttribute(String attributeName, String attributeValue)

  • public void setAttribute(String attributeName, List<String> attributeValues)

  • public void store() throws IdentityUpdateException

This binding is null if the operation is DELETE.

softwareStatement

A map representing the decoded JWT of the software statement from the request, including the issuer and required claims.

This is an empty map if no software statement is provided.