PingAM 8.0.0

Customize dynamic client registration

You can configure AM to run a script after it has processed a dynamic client registration request. This scripted extension point lets you perform custom actions to modify the client profile, for example, by updating client attributes or manipulating PingIDM data to create client relationships.

The script is called after the following dynamic client registration operations:

Create a script

AM includes a sample script that updates client attributes with values from the request.

You can use this as a template to create your own custom script.

  1. In the AM admin UI, create a script with the Script Type set to OAuth2 Dynamic Client Registration.

  2. Write your own or copy the sample script into the Script field.

    A dynamic client registration script is a next-generation script. You have access to all common next-generation bindings, such as openidm, httpClient, and utils, to help you modify the client profile.

    Learn about the bindings you can use in the Dynamic client registration scripting API.

  3. Save your changes.

Configure OAuth 2.0 provider to use the script

After creating your script, you must configure AM to use it.

  1. In the AM admin UI, go to Realms > Realm Name > Services > OAuth2 Provider > Client Dynamic Registration to configure a specific OAuth 2.0 provider.

    To set your script as the default for all new OAuth 2.0 providers, go to Configure > Global Services > OAuth2 Provider > Client Dynamic Registration.

  2. Set Dynamic Client Registration Script to the script name you want to use.

  3. Save your changes.

Test your changes

  1. Perform a request to register, update, or delete a client profile dynamically.

  2. The provider runs the script after the operation completes successfully.

    The script isn’t invoked if the operation fails.

  3. Verify that the script makes the changes as expected.

    For the sample script, check for the following modifications depending on the type of request:

    CREATE operation

    The script sets the client attribute com.forgerock.openam.oauth2provider.grantTypes to authorization_code and the grant type for the request.

    UPDATE operation

    The script adds the software statement’s redirect_uris property to the client attribute com.forgerock.openam.oauth2provider.redirectionURIs.

    DELETE operation

    The script makes no changes.

    The property names used to update client attributes, such as com.forgerock.openam.oauth2provider.grantTypes, are PingDS properties and don’t map to the property names found by querying the /realm-config/agents/OAuth2Client endpoint.

Dynamic client registration scripting API

The dynamic client registration script is a next-generation script and, therefore, has access to all the next-generation common bindings in addition to those described here.
Binding Description

requestProperties

A map of the properties in the request. Always present.

The keys in the map are as follows:

  • requestUri: The URI of the request.

  • realm: The realm where the request was made.

  • requestParams: The request parameters and posted data where each value is a list of one or more properties.

  • requestHeaders: A map of the request headers. Header names are case-sensitive.

  • requestBody: A map representing the body of the request.

    To mitigate the risk of reflection-type attacks, use OWASP best practices when handling these properties. For example, see Unsafe use of Reflection.

operation

The dynamic client registration request operation as a String. Possible values: CREATE, UPDATE, and DELETE.

clientIdentity

The ScriptedIdentity that represents the created or updated client.

This binding is null if the operation is DELETE.

softwareStatement

A map representing the decoded JWT of the software statement from the request, including the issuer and required claims.

This is an empty map if no software statement is provided.