Script bindings
Each script type exposes a number of bindings, objects that AM injects into the script execution context. The bindings provide a stable way of accessing AM functionality, without the need to allowlist Java classes. Scripts are provided with all the bindings for their context at the point of execution.
Find information about context-specific bindings in the documentation for each script type.
|
AM has introduced a next-generation scripting engine that offers several benefits, including enhanced script bindings. The availability and usage of bindings depend on the script engine version of the script: legacy or next-generation. Both versions are described in this section. You can find information about migrating to the enhanced scripting engine in Migrating to next-generation scripts. |
The following bindings are common to many authentication and authorization scripts. Use these bindings to access data and perform script operations such as logging.
Binding |
Description |
Availability |
|
Legacy |
Next-generation |
||
Access the name of the current cookie. |
No |
Yes |
|
Make outbound HTTP calls. |
Partial 1 |
Yes |
|
Write a message to the AM debug log. |
Yes |
Yes |
|
Manage a IDM resource. |
No |
Yes |
|
Evaluate policies using the policy engine API. |
No |
Yes |
|
Access the realm to which the user is authenticating. |
Yes |
Yes |
|
Access the name of the running script. |
Partial 1 |
Yes |
|
Reference secrets and credentials from scripts. |
Partial 2 |
Yes |
|
Reference system properties. |
Yes |
Yes |
|
Access utility functions such as base64 encoding/decoding, cryptographic operations, and generating random values. |
No |
Yes |
|
Manage PingOne Verify transactions related to the user, and manage the associated PingOne user account. |
No |
Yes 3 |
|
1 Available in OAuth 2.0 script types, scripted decision node scripts, and SAML v.2.0 scripts.
2 Available in OAuth 2.0 JWT bearer and scripted decision node scripts.
3 Available in PingOne Verify Completion Decision scripts.
|
Make sure you don’t use the same name for a local variable as that of a common binding in your script. These names are reserved for common bindings only. If you have already defined a local variable with the same name as one that’s added to common bindings
in a more recent version of AM; for example, |
Retrieve cookie name
The cookieName binding lets you access the name of the cookie as a string.
You can use the cookie name to perform session actions such as ending all open sessions for a user.
// add cookie name to shared state, for example: iPlanetDirectoryPro
nodeState.putShared("myCookie", cookieName);The cookieName binding is available in next-generation scripts only.
Access HTTP services
Call HTTP services with the httpClient.send method. HTTP client requests are asynchronous,
unless you invoke the get() method on the returned object.
The following examples demonstrate different ways to send HTTP client requests:
Methods
-
Next-generation
-
Legacy
The httpClient binding uses native JavaScript objects, and behaves like the
Fetch API.
- To invoke an HTTP request
-
-
ResponseScriptWrapper httpClient.send(String uri, Map requestOptions).get()Sends a synchronous request to the specified URI with request options. The
requestOptionsparameter is a native JavaScript object that supportsmethod,headers,form,clientName,token, andbodyas attributes.Use the
requestOptionsattribute,form, to send a form request. Theformattribute automatically URL-encodes fields, and you don’t need to specify"Content-Type": "application/x-www-form-urlencoded"as part of the headers.For example:
var requestOptions = { method: "POST", form: { field1: "value1", field2: "value2" } } -
ResponseScriptWrapper httpClient.send(String uri).get()Sends a synchronous GET request with no additional request options.
-
- To access response data
-
Use the following methods to get response information:
-
Map response.formData() -
Map response.json() -
String response.text()
The following fields provide response status information:
Field Type headersMap
okboolean
statusinteger
statusTextString
The response is similar to Response object behavior.
-
- To invoke a synchronous HTTP request
-
-
HTTPClientResponse httpClient.send(Request request).get()
-
- To access response data
-
-
JSON.parse(response.getEntity().getString())HttpClientResponsemethods: -
Map<String, String> getCookies() -
String getEntity() -
Map<String, String> getHeaders() -
String getReasonPhrase() -
Integer getStatusCode() -
boolean hasCookies() -
boolean hasHeaders()
-
|
The |
Example: Send a synchronous request
The following example uses the httpClient binding to send a synchronous authentication request and check for success.
-
Next-generation
-
Legacy
This example assumes you’ve created a custom library script (authLib) that handles authentication.
// import the library script that handles authentication
var authLib = require("authLib");
// use the library function to get authentication token
var bearerToken = authLib.generateBearer(nodeState);
var requestOptions = {
method: "POST",
headers: {
"Content-Type": "application/json"
},
token: bearerToken, // Equivalent to Authorization header
body: {
username: "bjensen"
}
}
var requestURL = "https://my.auth.server/authenticate";
var response = httpClient.send(requestURL, requestOptions).get();
if (response.status === 200) {
action.goTo("true");
} else {
action.goTo("false");
}var fr = JavaImporter(org.forgerock.openam.auth.node.api.Action);
var requestURL = "https://my.auth.server/authenticate";
var request = new org.forgerock.http.protocol.Request();
request.setUri(requestURL);
request.setMethod("POST");
request.getHeaders().add("Content-Type", "application/json;");
request.getHeaders().add("Authorization", "Bearer abcd-1234");
request.setEntity(JSON.stringify({"username": "bjensen"}));
var response = httpClient.send(request).get();
var responseCode = response.getStatus().getCode();
if (responseCode === 200) {
action = fr.Action.goTo("true").build();
} else {
action = fr.Action.goTo("false").build();
}Example: Send an asynchronous request
The httpclient binding also supports asynchronous requests so that you can
perform non-blocking operations, such as recording logging output after the script has completed.
To make an asynchronous request, use the same method signatures to send the request
but without calling get() on the returned object. The send() method then initiates
a separate thread to handle the response. Callers are unable to control when the asynchronous call is processed,
so won’t be able to use the response as part of authentication processing.
-
Next-generation
-
Legacy
public Promise<ResponseScriptWrapper, HttpClientScriptException> send(String uri)
public Promise<ResponseScriptWrapper, HttpClientScriptException> send(String uri, Map<String, Object> requestOptions)public Promise<Response, NeverThrowsException> send(Request request)For example:
-
Next-generation
-
Legacy
var requestURL = "https://my.auth.server/audit";
// creates separate thread to handle response
var response = httpClient.send(requestURL).then((response) => {
if (!response) {
logger.error("Bad response from " + requestURL);
return;
}
if (response.status != 200) {
logger.error("Unexpected response: " + response.statusText);
return;
}
logger.debug("Returned from async request");
});
// continues processing whilst awaiting response
action.goTo("true");var fr = JavaImporter(
org.forgerock.http.protocol.Request,
org.forgerock.http.protocol.Response,
org.forgerock.openam.auth.node.api.Action);
var request = new fr.Request();
request.setUri("https://my.auth.server/audit");
request.setMethod("GET");
var response = httpClient.send(request).then((response) => {
if (!response) {
logger.error("Bad response from " + requestURL);
return;
}
var status = response.getStatus().getCode();
if (status != 200) {
logger.error("Unexpected response: " + response.getEntity().getString());
return;
}
logger.message("Returned from async request");
});
action = fr.Action.goTo("true").build();Example: Send a request using mTLS
Configure the httpclient to use mTLS to exchange data securely when making a request to an external service.
Follow these example steps to send an HTTP request using mTLS:
Configure the HTTP Client service
Complete these steps to configure an instance of the HTTP Client service.
The instance defines settings such as timeout values and the client certificate or
truststore secret labels required by the httpclient script binding to make a TLS connection.
You can configure the instance to override default values. For example, to set connection or response
timeout values for a request initiated by the HTTP client, enable Use Instance Timeouts in the
service instance and set the timeout accordingly.
You can find information about these settings in the Http Client service configuration.
-
In the AM admin UI, go to Realms > Realm Name > Services.
-
Click Add a Service and select Http Client Service from the list of service types.
-
Enable the service and save your changes.
-
On the Secondary Configurations tab, click Add a Secondary Configuration.
-
Provide a name for the HTTP client instance; for example,
myHttpClient, and click Create. -
Enable the configuration and save your changes.
Make sure both the service and the secondary configuration are enabled.
-
On the TLS Configuration tab, enter an identifier to be used in your secret label in the Client Certificate Secret Label Identifier field.
For example,
testCrtcreates the dynamic secret label,am.services.httpclient.mtls.clientcert.testCrt.secret.To specify a truststore to verify the target server’s certificate, provide a value for Server Trust Certificates Secret Label Identifier.
This creates the dynamic secret label,
am.services.httpclient.mtls.servertrustcerts.identifier.secret. -
Optionally, configure connection and response timeout values on the Timeouts tab. Enable Use Instance Timeouts to override the default settings in advanced properties.
-
Save your changes.
Map a certificate to the secret label
-
Upload a PKCS#12 certificate (
.p12file) to a directory accessible to your AM deployment. It must contain a private key and a certificate.For testing purposes, you can create your own
.p12file using openssl.If you have a PEM file containing both the certificate and a private key, you can use
opensslto create a PKCS#12 file:openssl pkcs12 -export -in myfile.pem -out mycert.p12 -name myAlias`To check the details of the keystore file, run the following
keytoolcommand:keytool -list -v -keystore mycert.p12 -storetype pkcs12Example output
Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 1 entry Alias name: myalias Creation date: Mar 19, 2025 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=BadSSL Client Certificate, O=BadSSL, L=San Francisco, ST=California, C=US Issuer: CN=BadSSL Client Root Certificate Authority, O=BadSSL, L=San Francisco, ST=California, C=US Serial number: adb285150f249509 Valid from: Tue Mar 18 21:00:15 UTC 2025 until: Thu Mar 18 21:00:15 UTC 2027 Certificate fingerprints: SHA1: 0D:51:42:C2:2A:67:8D:14:11:2F:4E:04:C9:75:3F:36:AA:03:5E:AD SHA256: 8A:CD:0E:83:1A:1F:6C:5F:0F:A0:50:2D:7C:48:5C:0A:96:84:9A:29:A7:02:54:57:BB:F1:0B:6D:53:89:21:5A Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] #2: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment ] #3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL client ] -
Create secret label mappings for the keystore and entry passwords in an existing store.
For example, save the passwords in two files mapped to secrets in a file system secret volume,
mystorepassandmyentrypass. -
Create a keystore in AM with the following settings:
- File
-
/path/to/mycert.p12 - Keystore type
-
PKCS12 - Store password secret label
-
mystorepass - Entry password secret label
-
myentrypass
-
Map the Http Client service secret label to the keystore. For example:
- Secret Label
-
am.services.httpclient.mtls.clientcert.testCrt.secret - Aliases
-
myalias
Create a script to send the HTTP request
Write a next-generation decision node script to send a request using the HTTP client instance in the request options.
-
In your script, specify your HTTP client instance as the value for
clientNameinrequestOptions.For example:
var requestOptions = { "clientName": "<myhttpclient>" (1) } var res = httpClient.send("https://client.badssl.com", requestOptions).get(); (2) action.withHeader(Response code: ${res.status}); if (res.status == 200) { action.withDescription(res.text()); } else { logger.error(res.text()); action.goTo("false"); };1 The clientNameattribute must reference an enabled instance of the HTTP Client service.2 This script uses a test site that checks that the request includes a particular client certificate. Replace this with your mTLS endpoint. -
Create a simple journey that includes the scripted decision node to test your changes.
-
Verify that the HTTP request is sent successfully.
If successful, the example script results in a webpage displaying a response code of 200 on a green background.
Log script messages
Write messages to AM debug logs by using the logger object.
Scripts that create debug messages have their own logger which is created after the script has executed at least once.
Logger names use the format: scripts.<context>.<script UUID>.(<script name>); for example,
scripts.OIDC_CLAIMS.36863ffb-40ec-48b9-94b1-9a99f71cc3b5.(OIDC Claims Script).
You can find information about debug logs in Debug logging.
-
Next-generation
-
Legacy
The ScriptedLoggerWrapper is based on the SLF4J logging framework. You can log messages at the following levels:
-
Trace
-
Debug
-
Info
-
Warn
-
Error
var traceEnabled = logger.isTraceEnabled();
logger.trace("Trace with arg {}", arg);
var debugEnabled = logger.isDebugEnabled();
logger.debug("Debug with arg {}", arg);
var infoEnabled = logger.isInfoEnabled();
logger.info("Info with arg {}", arg);
var warnEnabled = logger.isWarnEnabled();
logger.warn("Warn with arg {}", arg);
var errorEnabled = logger.isErrorEnabled();
logger.error("Error with arg {}", arg);The Debug logger lets you log messages at the following levels:
-
Message
-
Warning
-
Error
var messageEnabled = logger.messageEnabled();
logger.message("Message with arg {}", arg);
var warnEnabled = logger.warningEnabled();
logger.warning("Warn with arg {}", arg);
var errorEnabled = logger.errorEnabled();
logger.error("Error with arg {}", arg);Access IDM scripting functions
The openidm binding lets you manage a IDM resource by calling
scripting functions directly from a decision node script.
|
The |
The following CRUDPAQ functions are supported:
-
create
-
read
-
update
-
delete
-
patch
-
action
-
query
For more information, refer to Scripting functions.
|
The |
The following example illustrates how to create a user, update their details, send an email, and finally delete the user:
-
Next-generation
-
Legacy
var username = "bjensen";
// CREATE: returns the new user identity as a JSON object (wrapped in a MapScriptWrapper)
var newUser = openidm.create("managed/user", null, {
"userName": username,
"mail": "foo@bar.com",
"givenName": "Foo",
"sn": "Bar"});
// Access the fields directly, for example: ._id, .sn, .city, .country
var userID = newUser._id;
// READ: returns entire identity as a JSON object
var user = openidm.read("managed/user/" + userID);
// Debug to output all fields
logger.debug("user: " + JSON.stringify(user));
// UPDATE: replaces entire identity with specified object
// Returns the updated identity as a JSON object
user.description = 'New description';
var updatedUser = openidm.update("managed/user/" + userID, null, user);
// PATCH: selectively modify object, returns entire identity
var patchedUser = openidm.patch("managed/user/" + userID, null, [{
"operation":"replace",
"field":"/mail",
"value":"new@example.com"
}]);
// QUERY: returns results array in a map
var queryRes = openidm.query("managed/user",
{"_queryFilter":`/userName eq '${username}'`},["*", "_id"]);
// Debug query result count and the requested properties
logger.debug("Query result count: " + queryRes.resultCount);
logger.debug("Queried user: " + queryRes.result[0].givenName);
// ACTION: send email using the action function
var actionRes = openidm.action("external/email", "send", {
"from": "admin@example.com",
"to": patchedUser.mail,
"subject": "Example email",
"body": "This is an example"
});
// Example response if not null: {"status":"OK","message":"Email sent"}
logger.debug("Status: " + actionRes.status + " : " + actionRes.message);
// DELETE: returns deleted object if successful, throws exception if not
openidm.delete('managed/user/'+ userID, null);
action.goTo("true");Not available in Legacy bindings
Output realm name
The realm binding lets you access the name of the realm to which the user is authenticating as a string.
For example, authenticating to the alpha realm returns a string value of /alpha.
-
Next-generation
-
Legacy
// log current realm
logger.debug("User authentication realm: " + realm);// log current realm
logger.message("User authentication realm: " + realm);Output script name
Use the scriptName binding to get the name of the running script as a string.
-
Next-generation
-
Legacy
// log current script name
logger.debug("Running script: " + scriptName);
// or use a library script to log script name
var mylib = require('loggingLibrary');
mylib.debug(logger, scriptName);// log current script name
logger.message("Running script: " + scriptName);Access secrets and credentials
Use the secrets binding to access secrets configured in AM secret stores.
For example, a script can access credentials or secrets defined in a file system secret volume to make outbound calls to a third-party REST service without hard-coding those credentials in the script.
Only secret labels that begin with the string scripted.node. are accessible to scripts.
|
Methods
Use the following method to return the value of the specified secret label:
- String secrets.getGenericSecret(String secretLabel)
-
If the secret label is defined at the realm level, its value is returned; otherwise, the script returns the value defined at the global level.
To format the returned secret value, use these supported methods:
- getAsBytes()
-
Retrieve the secret value in
byte[]format. - `getAsUtf8()
-
Retrieve the secret value in UTF-8 format.
Learn more about the supported methods in the Secret and ScriptedSecrets Javadoc.
Examples
The following example scripts show how to get a password from a secret label named scripted.node.example.secret.
The scripts use the encoded username (bjensen) and password (passwd) in a basic authentication header to access the
http://httpbin.org/basic-auth/{user}/{passwd} service.
-
Next-generation
-
Legacy
// secret [cGFzc3dk] stored in file system secret store
var password = secrets.getGenericSecret("scripted.node.example.secret").getAsUtf8();
var auth = utils.base64.encode("bjensen:" + password);
var requestURL = "http://httpbin.org/basic-auth/bjensen/passwd";
var requestOptions = {
method: "GET",
headers: {
"Content-Type": "application/json",
"Authorization": "Basic ".concat(auth)
},
}
var response = httpClient.send(requestURL, requestOptions).get();
if (!response) {
logger.error("Bad response from " + requestURL);
action.goTo("false");
} else {
if (response.status != 200) {
logger.warn("Authentication not successful. Code: " + response.status);
action.goTo("false");
} else {
logger.debug("Authenticated: " + response.json().authenticated);
action.goTo("true");
}
}|
To construct the header for basic authorization, make sure you use the |
|
To use this sample script, add the following classes to the class allowlist property
in the
For details, refer to Access Java classes. |
var fr = JavaImporter(org.forgerock.openam.auth.node.api.Action);
// secret [cGFzc3dk] stored in file system secret store
var password = secrets.getGenericSecret("scripted.node.example.secret").getAsUtf8();
var auth = java.util.Base64.getEncoder().encodeToString(java.lang.String("bjensen:" + password).getBytes());
var request = new org.forgerock.http.protocol.Request();
request.setMethod("GET");
request.setUri("http://httpbin.org/basic-auth/bjensen/passwd");
request.getHeaders().add("content-type","application/json; charset=utf-8");
request.getHeaders().add("Authorization", "Basic " + auth);
var response = httpClient.send(request).get();
var jsonResult = JSON.parse(response.getEntity().getString());
logger.error("Script result: " + JSON.stringify(jsonResult));
if (jsonResult.hasOwnProperty("authenticated")) {
action = fr.Action.goTo("success").build();
} else {
action = fr.Action.goTo("failure").build();
}Reference substituted properties in scripts
The systemEnv binding, available to all script types, includes an instance of the
ScriptPropertyResolver class. This interface exposes the following methods:
String getProperty(String propertyName);
String getProperty(String propertyName, String defaultValue);
<T> T getProperty(String propertyName, String defaultValue, Class<T> returnType);where:
-
propertyNamerefers to a configuration expression (without the ampersand or braces)To reference a substituted property in a script, the property name must include a specific prefix; for example,
script.my.variable. This prefix decreases the risk that random property values are resolved in scripts.The default prefix for all script types, is
script. To change the prefix, go to Configure > Global Services > Scripting > Secondary Configurations > Script Type > Secondary Configurations > Engine Configuration > Property Name Prefix.Make sure
propertyNameis specific enough to distinguish it from other configuration expressions. -
defaultValueis the default value set for that property in the configuration expressionThe
defaultValuemust not benull. -
returnTypeis one of the following fully-qualified Java class names:-
java.lang.Boolean -
java.lang.Double -
java.lang.Integer -
java.lang.String -
java.util.List -
java.util.Map
-
The getProperty(String propertyName) method returns null when the propertyName is not valid.
For example:
The following example assumes that the property name prefix is set to script
in the script engine configuration for the script type.
The script is used in a Scripted Decision node to get the values such as the
user’s email, hostname, and port.
The script also shows type transformation where the type isn’t a string.
-
JavaScript
-
Groovy
var fr = JavaImporter(org.forgerock.openam.auth.node.api.Action);
// Properties should get resolved (set in AM)
var email = systemEnv.getProperty('script.tree.decision.node.email');
var name = systemEnv.getProperty('script.tree.decision.node.hostname', 'defaultHostname');
var port = systemEnv.getProperty('script.tree.decision.node.port', '587', java.lang.Integer);
var double = systemEnv.getProperty('script.tree.decision.node.double', '2.0', java.lang.Double);
var hasPort = systemEnv.getProperty('script.tree.decision.node.hasPort', 'false', java.lang.Boolean);
var map = systemEnv.getProperty('script.tree.decision.node.map', '{"defaultKey":"defaultValue"}', java.util.Map);
var list = systemEnv.getProperty('script.tree.decision.node.list', 'defaultValue', java.util.List);
// Properties should get resolved to their defaults (not set in AM)
var defaultName = systemEnv.getProperty('script.tree.decision.node.hostname.unresolved', 'defaultHostname');
var defaultPort = systemEnv.getProperty('script.tree.decision.node.port.unresolved', '587', java.lang.Integer);
var defaultDouble = systemEnv.getProperty('script.tree.decision.node.double.unresolved', '2.0', java.lang.Double);
var defaultHasPort = systemEnv.getProperty('script.tree.decision.node.hasPort.unresolved', 'false', java.lang.Boolean);
var defaultMap = systemEnv.getProperty('script.tree.decision.node.map.unresolved', '{"defaultKey":"defaultValue"}', java.util.Map);
var defaultList = systemEnv.getProperty('script.tree.decision.node.list.unresolved', 'defaultFirstValue,defaultSecondValue', java.util.List);
// Assert all property values - set the appropriate outcome
if (email === 'test@example.com' && name === 'testHostname' && port === 25 && double === 1.0 && hasPort === true
&& map.get('testKey') == 'testValue' && list == '[testFirstValue, testSecondValue]'
&& defaultName === 'defaultHostname' && defaultPort === 587 && defaultDouble === 2.0 && defaultHasPort === false
&& defaultMap.get('defaultKey') == 'defaultValue' && defaultList == '[defaultFirstValue, defaultSecondValue]') {
action = fr.Action.goTo("true").build();
} else {
action = fr.Action.goTo("false").build();
}// Properties should get resolved (set in AM)
String email = systemEnv.getProperty('script.tree.decision.node.email');
String name = systemEnv.getProperty('script.tree.decision.node.hostname', 'defaultHostname');
Integer port = systemEnv.getProperty('script.tree.decision.node.port', '587', java.lang.Integer);
Double testDouble = systemEnv.getProperty('script.tree.decision.node.double', '2.0', java.lang.Double);
Boolean hasPort = systemEnv.getProperty('script.tree.decision.node.hasPort', 'false', java.lang.Boolean);
Map map = systemEnv.getProperty('script.tree.decision.node.map', '{\"defaultKey\":\"defaultValue\"}', java.util.Map);
List list = systemEnv.getProperty('script.tree.decision.node.list', 'defaultValue', java.util.List);
// Properties should get resolved to their defaults (not set in AM)
String defaultName = systemEnv.getProperty('script.tree.decision.node.hostname.unresolved', 'defaultHostname');
Integer defaultPort = systemEnv.getProperty('script.tree.decision.node.port.unresolved', '587', java.lang.Integer);
Double defaultDouble = systemEnv.getProperty('script.tree.decision.node.double.unresolved', '2.0', java.lang.Double);
Boolean defaultHasPort = systemEnv.getProperty('script.tree.decision.node.hasPort.unresolved', 'false', java.lang.Boolean);
Map defaultMap = systemEnv.getProperty('script.tree.decision.node.map.unresolved', '{\"defaultKey\":\"defaultValue\"}', java.util.Map);
List defaultList = systemEnv.getProperty('script.tree.decision.node.list.unresolved', 'defaultFirstValue,defaultSecondValue', java.util.List);
// Assert all property values - set the appropriate outcome
if (email.equals('test@example.com') && name.equals('testHostname') && port == 25 && testDouble == 1.0d && hasPort == true
&& defaultName.equals('defaultHostname') && defaultPort == 587 && defaultDouble == 2.0d && defaultHasPort == false
&& map.get('testKey').equals('testValue')
&& list.get(0).equals('testFirstValue') && list.get(1).equals('testSecondValue')
&& defaultMap.get('defaultKey').equals('defaultValue')
&& defaultList.get(0).equals('defaultFirstValue') && defaultList.get(1).equals('defaultSecondValue')) {
outcome = 'true';
} else {
outcome = 'false';
}Access utility functions
Use the next-generation utils binding to perform functions such as encoding/decoding
and encryption/decryption, type conversion, and cryptographic operations.
The utils binding isn’t available in legacy scripts.
|
Base64 encode and decode
- String base64.encode(String toEncode)
-
Encodes the specified text using base64.
- String base64.encode(byte[] toEncode)
-
Encodes the specified bytes using base64.
- String base64.decode(String toDecode)
-
Decodes the specified text using base64.
- byte[] base64.decodeToBytes(String toDecode)
-
Decodes the specified text using base64 and returns the result as an array of bytes.
- Example
var encoded = utils.base64.encode("exampletext")
logger.debug("Encoded text: " + encoded); //ZXhhbXBsZXRleHQ=
var decoded = utils.base64.decode(encoded);
logger.debug("Decoded text: " + decoded);Base64Url encode and decode
- String base64url.encode(String toEncode)
-
Encodes the specified text using base64url.
- String base64url.decode(String toDecode)
-
Decodes the specified text using base64url.
- Example
var encodedURL = utils.base64url.encode("http://exampletext=")
logger.debug("Encoded URL: " + encodedURL); //aHR0cDovL2V4YW1wbGV0ZXh0PQ
var decodedURL = utils.base64url.decode(encodedURL);
logger.debug("Decoded URL: " + decodedURL);Generate random values
- String crypto.randomUUID()
-
Returns a type 4 pseudo-random generated UUID.
- <JavaScript array> crypto.getRandomValues(<JavaScript array> array)
-
Returns the specified array filled with the same number of generated random numbers.
- Example
// generate a pseudorandom UUID (version 4)
var uuid = utils.crypto.randomUUID();
logger.debug("UUID: " + uuid); //eef5b4e1-ae86-4c0a-9160-5afee2b5e791
// generate an array of 5 random values
var array = [0,0,0,0,0];
utils.crypto.getRandomValues(array);
array.forEach(function(element){
logger.debug("Random value: " + element);
});Convert types
- String types.bytesToString(byte[] toConvert)
-
Converts a byte array to a string.
- byte[] types.stringToBytes(String toConvert)
-
Converts a string to a byte array.
- Example
var dataBytes = utils.types.stringToBytes("data");
var dataString = utils.types.bytesToString(dataBytes);Generate keys
- Object crypto.subtle.generateKey(String algorithm)
-
Generates a key using the specified algorithm and default values.
- Object crypto.subtle.generateKey(Map<String, Object> algorithm)
-
Generates a key using the parameters provided, depending on the algorithm specified.
- Parameters
| Option | Algorithm | Description |
|---|---|---|
|
All |
Required. The name of the algorithm. Possible values: |
|
|
Optional. Default: |
|
|
Optional. Default: |
|
|
Optional. Possible values: |
- Example
var aesKey = utils.crypto.subtle.generateKey("AES");
// Optionally specify 'length' (default 256)
var aesKeyCustom = utils.crypto.subtle.generateKey(
{
"name": "AES", length: 256
}
);
var rsaKey = utils.crypto.subtle.generateKey("RSA");
// Optionally specify 'modulusLength' (default 2048)
var rsaKeyCustom = utils.crypto.subtle.generateKey(
{
"name": "RSA", modulusLength: 4096
}
);
var hmacKey = utils.crypto.subtle.generateKey("HMAC");
// Optionally specify 'hash' (default 'SHA-256')
var hmacKeyCustom = utils.crypto.subtle.generateKey(
{
"name": "HMAC", "hash": "SHA-256"
}
);
logger.debug("AES key: " + aesKey.length);
logger.debug("RSA keys: " + rsaKey.publicKey.length + " : " + rsaKey.privateKey.length);Encrypt and decrypt
- byte[] crypto.subtle.encrypt(String algorithm, byte[] key, byte[] data)
-
Encrypts the data using the specified key and algorithm (
AESorRSA).
- byte[] crypto.subtle.decrypt(String algorithm, byte[] key, byte[] data)
-
Decrypts the data using the specified key and algorithm (
AESorRSA).
- Example
var data = utils.types.stringToBytes("data");
var aesKey = utils.crypto.subtle.generateKey("AES");
var rsaKey = utils.crypto.subtle.generateKey("RSA");
var encryptedAes = utils.crypto.subtle.encrypt("AES", aesKey, data);
var decryptedAes = utils.crypto.subtle.decrypt("AES", aesKey, encryptedAes);
var encryptedRsa = utils.crypto.subtle.encrypt("RSA", rsaKey.publicKey, data);
var decryptedRsa = utils.crypto.subtle.decrypt("RSA", rsaKey.privateKey, encryptedRsa);
logger.debug("decryptedAes: " + decryptedAes + " decryptedRsa: " + decryptedRsa);Compute digest (hash) values
- String crypto.subtle.digest(String algorithm, byte[] data)
-
Returns the digest of the data using the specified algorithm. The algorithm must be one of
SHA-1,SHA-256,SHA-384,SHA-512. - Example
var data = utils.types.stringToBytes("data");
var digest = utils.crypto.subtle.digest("SHA-256", data);
logger.debug("Digest length: " + digest.length);Sign and verify
- byte[] sign(String algorithm, byte[] key, byte[] data)
-
Signs the data using the specified algorithm and key.
- byte[] sign(Map<String, Object> algorithmOptions, byte[] key, byte[] data)
-
Signs the data using the specified algorithm options and key.
- boolean verify(String algorithm, byte[] key, byte[] data, byte[] signature)
-
Verifies the signature of the data using the specified algorithm and key.
- boolean verify(Map<String, Object> algorithmOptions, byte[] key, byte[] data, byte[] signature)
-
Verifies the signature of the data using the specified key and map of parameters.
- Parameters
| Option | Algorithm | Description |
|---|---|---|
|
All |
Required. The name of the algorithm. Possible values: |
|
|
Optional. Possible values: |
- Example
var data = utils.types.stringToBytes("data");
var rsaKey = utils.crypto.subtle.generateKey("RSA");
var hmacKey = utils.crypto.subtle.generateKey("HMAC");
var signRsa = utils.crypto.subtle.sign("RSA", rsaKey.privateKey, data);
var verifyRsa = utils.crypto.subtle.verify("RSA", rsaKey.publicKey, data, signRsa);
var hmacOpts = {
"name": "HMAC",
"hash": "SHA-512"
}
var signHmac = utils.crypto.subtle.sign(hmacOpts, hmacKey, data);
var verifyHmac = utils.crypto.subtle.verify(hmacOpts, hmacKey, data, signHmac);
logger.debug("RSA key verified: " + verifyRsa);
logger.debug("HMAC key verified: " + verifyHmac);Evaluate policies
The next-generation policy binding lets you access the policy engine API and evaluate policies from within scripts.
Methods
- List<Map<String, Object>> policy.evaluate(subject, application, resources, environment)
-
Use the
evaluate()method to request policy decisions for specific resources. - Parameters
-
The following parameters are required:
Parameter Type Description subjectMap<String, Object>
The subject making the request, specified as an
ssoToken, ajwt, or aclaimsvalue.applicationString
The name of the policy set.
resourcesList<String>
The resources to request decisions for.
environmentMap<String, List<String>>
Specify environment conditions as a map of keys to lists of values, or
{}to indicate none. - Returns
-
The method returns evaluation decisions as a list of maps containing the following fields:
Field Description resourceThe requested resource.
actionsA map of actions and corresponding boolean values. For example:
"actions":{ "POST":false, "PATCH":false, "GET":false, "DELETE":false, "OPTIONS":true, "HEAD":false, "PUT":false }attributesA map of attribute names to their values if attributes exist for the policy.
advicesA map of advice names to their values if advice exists for the policy.
Learn how the evaluate method works and its parameters in
Request policy decisions for a specific resource. The policy binding works in a similar way to this REST API call.
Example
The following example script requests a policy decision for a URL resource.
var subject = {
ssoToken: requestCookies[cookieName]
}
var application = "testPolicySet"
var resources = ["http://example.com:80/test"]
var environment = {
"myField": ["myValue"]
}
var evaluationResult;
try {
// policy.evaluate() returns List<Map<String, Object>>
var results = policy.evaluate(subject, application, resources, environment);
evaluationResult = results[0];
} catch(e) {
logger.error(`Policy Evaluation Failed: ${e.message}`)
}
if (evaluationResult && evaluationResult.actions['GET'] === true) {
action.goTo("authorized")
} else {
action.goTo("unauthorized")
}Access PingOne Verify transactions and manage associated user
Use the verifyTransactionsHelper binding from your PingOne Verify Completion Decision node
script to access information about the PingOne Verify transactions
the user has performed and to manage the associated user account in PingOne.
Methods
Map getLastVerifyTransaction()-
Retrieve the user’s most recent transaction they performed with PingOne Verify.
Returns a map containing the data about the most recent transaction or
nullif no transactions are available.View example return data
{ "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-fak3-49f5-a5d9-80ad5c98f9f6/users/36ff33da-abc7-ch15-abab-8b2412345461/verifyTransactions/dd5a6d4f-m0nd-0819-b107-85a0a10138c6"}, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-fak3-49f5-a5d9-80ad5c98f9f6"}, "user": { "href": "https://api.pingone.com/v1/users/36ff33da-abc7-ch15-abab-8b2412345461"} }, "id": "dd5a6d4f-m0nd-0819-b107-85a0a10138c6", "transactionStatus": { "status": "SUCCESS", "verificationStatus": { "GOVERNMENT_ID": "SUCCESS", "LIVENESS": "SUCCESS", "FACIAL_COMPARISON_DOCUMENT": "SUCCESS" } }, "verifiedDocuments": "[selfie, liveness, driver_license]", "createdAt": "2024-12-09T13:45:34.882Z", "updatedAt": "2024-12-09T13:45:34.882Z", "expiresAt": "2024-12-09T14:15:34.882Z" } Map getAllVerifyTransactions()-
Retrieve all the user’s transactions performed with PingOne Verify.
Returns a map containing the data about all transactions or
nullif no transactions are available.View example return data
{ "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/36ff33da-cba7-4d46-bedc-8b242889d461/verifyTransactions" } }, "_embedded": { "verifyTransactions": [ { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/36ff33da-cba7-4d46-bedc-8b242889d461/verifyTransactions/029ea878-2618-4067-b7e3-922591e6b55f" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "user": { "href": "https://api.pingone.com/v1/users/36ff33da-cba7-4d46-bedc-8b242889d461" } }, "id": "029ea878-2618-4067-b7e3-922591e6b55f", "transactionStatus": { "status": "APPROVED_NO_REQUEST" }, "createdAt": "2022-02-17T20:32:22.052Z", "updatedAt": "2022-02-17T20:32:58.711Z", "expiresAt": "2022-02-17T21:02:58.711Z" }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/36ff33da-cba7-4d46-bedc-8b242889d461/verifyTransactions/cca479e7-d130-4e3c-b888-74ba1920f59a" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "user": { "href": "https://api.pingone.com/v1/users/36ff33da-cba7-4d46-bedc-8b242889d461" } }, "id": "cca479e7-d130-4e3c-b888-74ba1920f59a", "transactionStatus": { "status": "REQUESTED" }, "qrUrl": "https://api.pingone.com/v1/idValidations/shortcode/086645084110/qr", "verificationCode": "086645084110", "createdAt": "2022-02-17T20:23:58.662Z", "updatedAt": "2022-02-17T20:23:58.662Z", "expiresAt": "2022-02-17T20:53:58.662Z" }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/36ff33da-cba7-4d46-bedc-8b242889d461/verifyTransactions/52c9bf9a-0687-4e01-85d1-9caa9bb387ee" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "user": { "href": "https://api.pingone.com/v1/users/36ff33da-cba7-4d46-bedc-8b242889d461" } }, "id": "52c9bf9a-0687-4e01-85d1-9caa9bb387ee", "transactionStatus": { "status": "REQUESTED" }, "qrUrl": "https://api.pingone.com/v1/idValidations/shortcode/008299320746/qr", "verificationCode": "008299320746", "createdAt": "2022-02-17T20:23:08.887Z", "updatedAt": "2022-02-17T20:23:08.887Z", "expiresAt": "2022-02-17T20:53:08.887Z" }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/36ff33da-cba7-4d46-bedc-8b242889d461/verifyTransactions/dd5a6d4f-a999-4819-b107-85a0a10138c6" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "user": { "href": "https://api.pingone.com/v1/users/36ff33da-cba7-4d46-bedc-8b242889d461" } }, "id": "dd5a6d4f-a999-4819-b107-85a0a10138c6", "transactionStatus": { "status": "REQUESTED" }, "createdAt": "2021-12-09T13:45:34.882Z", "updatedAt": "2021-12-09T13:45:34.882Z", "expiresAt": "2022-12-09T14:15:34.882Z" }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/36ff33da-cba7-4d46-bedc-8b242889d461/verifyTransactions/bfc414cb-a1b4-46b8-b622-3d806a85002f" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "user": { "href": "https://api.pingone.com/v1/users/36ff33da-cba7-4d46-bedc-8b242889d461" } }, "id": "bfc414cb-a1b4-46b8-b622-3d806a85002f", "transactionStatus": { "status": "REQUESTED" }, "createdAt": "2021-12-08T21:34:52.424Z", "updatedAt": "2021-12-08T21:34:52.424Z", "expiresAt": "2022-12-08T22:04:52.424Z" }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/36ff33da-cba7-4d46-bedc-8b242889d461/verifyTransactions/b21db4c4-01c5-47b5-a2a9-3d8df21d189b" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "user": { "href": "https://api.pingone.com/v1/users/36ff33da-cba7-4d46-bedc-8b242889d461" } }, "id": "b21db4c4-01c5-47b5-a2a9-3d8df21d189b", "transactionStatus": { "status": "APPROVED_NO_REQUEST" }, "createdAt": "2021-12-07T21:33:22.088Z", "updatedAt": "2021-12-07T21:45:22.944Z", "expiresAt": "2022-12-07T22:15:22.944Z" }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/36ff33da-cba7-4d46-bedc-8b242889d461/verifyTransactions/e44ebfe2-6a76-4ffa-ac35-d71ee9365e57" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "user": { "href": "https://api.pingone.com/v1/users/36ff33da-cba7-4d46-bedc-8b242889d461" } }, "id": "e44ebfe2-6a76-4ffa-ac35-d71ee9365e57", "transactionStatus": { "status": "APPROVED_NO_REQUEST" }, "createdAt": "2021-12-07T19:55:16.630Z", "updatedAt": "2021-12-07T21:31:26.835Z", "expiresAt": "2022-12-07T22:01:26.835Z" }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/36ff33da-cba7-4d46-bedc-8b242889d461/verifyTransactions/fc695b11-93a4-48bb-9ec3-ff5738e3818c" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "user": { "href": "https://api.pingone.com/v1/users/36ff33da-cba7-4d46-bedc-8b242889d461" } }, "id": "fc695b11-93a4-48bb-9ec3-ff5738e3818c", "transactionStatus": { "status": "REQUESTED" }, "createdAt": "2021-12-07T18:36:48.156Z", "updatedAt": "2021-12-07T18:36:48.156Z", "expiresAt": "2021-12-07T19:06:48.153Z" } ] }, "size": 8 } Map getAllMetadata(String transactionId)-
Retrieve the metadata for a specified transaction.
Metadata includes information about the reasons behind a transaction decision, such as scores, probability, and the judgements made, rather than the actual data provided to the transaction by the user.
Returns a map containing the details of the transaction result from the verification services used, or
nullif the specified transaction is not available.View example return data
{ "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/03df72b1-b80b-4449-8eef-ee8f85f48d94/verifyTransactions/7668563d-0226-4ca5-8401-03f6dc5bcdc6/metaData" }, "user": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/03df72b1-b80b-4449-8eef-ee8f85f48d94" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "verifyTransaction": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/03df72b1-b80b-4449-8eef-ee8f85f48d94/verifyTransactions/7668563d-0226-4ca5-8401-03f6dc5bcdc6" } }, "_embedded": { "metaData": [ { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/03df72b1-b80b-4449-8eef-ee8f85f48d94/verifyTransactions/7668563d-0226-4ca5-8401-03f6dc5bcdc6/metaData/4ebb9165-4e5c-4270-94e4-d50d7b17ecb4" } }, "id": "4ebb9165-4e5c-4270-94e4-d50d7b17ecb4", "provider": "IDRND", "type": "LIVENESS", "status": "SUCCESS", "data": { "score": 6.4909873, "probability": 0.99848527, "quality": 0.94462675 }, "retry": { "attempt": 2 } }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/03df72b1-b80b-4449-8eef-ee8f85f48d94/verifyTransactions/7668563d-0226-4ca5-8401-03f6dc5bcdc6/metaData/ae186d6c-1a79-4912-bad8-79afa3626cca" } }, "id": "ae186d6c-1a79-4912-bad8-79afa3626cca", "provider": "IDRND", "type": "INJECTION_DETECTION", "status": "SUCCESS", "data": { "probability": 1.0 } }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/03df72b1-b80b-4449-8eef-ee8f85f48d94/verifyTransactions/7668563d-0226-4ca5-8401-03f6dc5bcdc6/metaData/546d3a8e-f606-4078-92f1-96a5c2d003e9" } }, "id": "546d3a8e-f606-4078-92f1-96a5c2d003e9", "provider": "AMAZON", "type": "FACIAL_COMPARISON", "status": "SUCCESS", "data": { "similarity": 99.37002, "confidence": 99.99767, "quality": { "brightness": 36.77353, "sharpness": 20.92731 } } }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/03df72b1-b80b-4449-8eef-ee8f85f48d94/verifyTransactions/7668563d-0226-4ca5-8401-03f6dc5bcdc6/metaData/96315a69-fb46-4d28-9b0d-c79927e59df1" } }, "id": "96315a69-fb46-4d28-9b0d-c79927e59df1", "provider": "BIOGRAPHIC_MATCHER", "type": "BIOGRAPHIC_MATCH", "status": "SUCCESS", "data": { "biographic_match_results": [ { "identifier": "address", "match": "NOT_APPLICABLE" }, { "identifier": "given_name", "match": "NONE" }, { "identifier": "family_name", "match": "HIGH" }, { "identifier": "birth_date", "match": "HIGH" } ] } }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/03df72b1-b80b-4449-8eef-ee8f85f48d94/verifyTransactions/7668563d-0226-4ca5-8401-03f6dc5bcdc6/metaData/fba13756-8c24-49ff-9b42-ff1a3661d0ae" } }, "id": "fba13756-8c24-49ff-9b42-ff1a3661d0ae", "provider": "MITEK", "type": "DOCUMENT_AUTHENTICATION", "status": "SUCCESS", "data": { "mitekVerifications": [ { "name": "Document Ensemble Authenticator", "judgement": "Authentic", "verificationType": 202, "probability": 753, "version": "3.47.0.7114", "documentId": "048f28f1-a7fe-42a5-9722-f10977606719" }, { "name": "Black And White Copy", "judgement": "Authentic", "verificationType": 102, "probability": 717, "version": "3.47.0.7114", "documentId": "e290d74d-bf9c-4116-9fe7-9b6fb909c856" }, { "name": "Image Classification", "judgement": "Authentic", "verificationType": 105, "probability": 1000, "version": "3.47.0.7114", "documentId": "e290d74d-bf9c-4116-9fe7-9b6fb909c856" }, { "name": "Data Comparison", "judgement": "Authentic", "verificationType": 700, "probability": 1000, "version": "3.47.0.7114", "documentId": "e290d74d-bf9c-4116-9fe7-9b6fb909c856" }, { "name": "Ensemble Authenticator", "judgement": "Authentic", "verificationType": 201, "probability": 753, "version": "3.47.0.7114", "documentId": "e290d74d-bf9c-4116-9fe7-9b6fb909c856" }, { "name": "ID Document Blacklist", "judgement": "Authentic", "verificationType": 101, "probability": 1000, "version": "3.47.0.7114", "documentId": "e290d74d-bf9c-4116-9fe7-9b6fb909c856" }, { "name": "Generic Font", "judgement": "Authentic", "verificationType": 104, "probability": 926, "version": "3.47.0.7114", "documentId": "e290d74d-bf9c-4116-9fe7-9b6fb909c856" }, { "name": "MRZ Check Digit", "judgement": "Authentic", "verificationType": 601, "probability": 1000, "version": "3.47.0.7114", "documentId": "e290d74d-bf9c-4116-9fe7-9b6fb909c856" }, { "name": "MRZ Font Type Authentication", "judgement": "Authentic", "verificationType": 600, "probability": 1000, "version": "3.47.0.7114", "documentId": "e290d74d-bf9c-4116-9fe7-9b6fb909c856" }, { "name": "Image Processing", "judgement": "Authentic", "verificationType": 710, "probability": 1000, "version": "1.0", "documentId": "e290d74d-bf9c-4116-9fe7-9b6fb909c856" }, { "name": "Document Liveness", "judgement": "Authentic", "verificationType": 108, "probability": 999, "version": "1.0", "documentId": "e290d74d-bf9c-4116-9fe7-9b6fb909c856" } ], "frontImageDocumentId": "e290d74d-bf9c-4116-9fe7-9b6fb909c856", "documentEvidenceId": "048f28f1-a7fe-42a5-9722-f10977606719", "retry": { "attempt": 1 } } } ] }, "previousAttempts": [ { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/03df72b1-b80b-4449-8eef-ee8f85f48d94/verifyTransactions/7668563d-0226-4ca5-8401-03f6dc5bcdc6/metaData/06aebfbd-0053-4860-8b59-4f3cb7371dcb" } }, "id": "06aebfbd-0053-4860-8b59-4f3cb7371dcb", "provider": "IDRND", "type": "LIVENESS", "status": "FAIL", "data": { "score": 2.4509223, "probability": 0.40062885, "quality": 0.40874674 }, "retry": { "attempt": 1 } } ], "size": 5 } Map getAllVerifiedData(String transactionId)-
For up to 30 minutes after a PingOne Verify decision you can retrieve information about all the data obtained by all the verification service providers during the specified transaction.
Returns a map containing information about the data returned from the verification service used, or
nullif the specified transaction is not available.This method only lists the ID and type of verified data available, as the actual data could be large binary files such as images.
Use the
getVerifiedData()method to get the actual verified data.View example return data
{ "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/" }, "user": { "href": "https://api.pingone.com/v1/users/a27dec16-1e80-4f10-a261-2cac46a12b78" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "transaction": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b" } }, "_embedded": { "verifiedData": [ { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/84170421-62c6-49a5-b343-496bee93c206" } }, "id": "84170421-62c6-49a5-b343-496bee93c206", "type": "GOVERNMENT_ID", "createdAt": "2022-02-23T15:51:01.603Z", "retry": { "attempt": 2 } }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/ef6cd8cd-d869-4695-af69-29c78b6f041a" } }, "id": "ef6cd8cd-d869-4695-af69-29c78b6f041a", "type": "SELFIE", "createdAt": "2022-02-25T16:22:35.649Z", "retry": { "attempt": 2 } }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/bf6cd8cd-d869-4695-af69-29c78b6f041a" } }, "id": "bf6cd8cd-d869-4695-af69-29c78b6f041a", "type": "BACK_IMAGE", "createdAt": "2022-02-25T16:22:35.649Z", "retry": { "attempt": 2 } }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/af6cd8cd-d869-4695-af69-29c78b6f041a" } }, "id": "af6cd8cd-d869-4695-af69-29c78b6f041a", "type": "FRONT_IMAGE", "createdAt": "2022-02-25T16:22:35.649Z", "retry": { "attempt": 2 } }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/:id" } }, "id": "yf6cd8cd-d869-4695-af69-29c78b6f041a", "type": "CROPPED_PORTRAIT", "createdAt": "2022-02-25T16:22:35.649Z" }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/:id" } }, "id": "vf6cd8cd-d869-4695-af69-29c78b6f041a", "type": "CROPPED_DOCUMENT", "createdAt": "2022-02-25T16:22:35.649Z" }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/:id" } }, "id": "if6cd8cd-d869-4695-af69-29c78b6f041a", "type": "CROPPED_SIGNATURE", "createdAt": "2022-02-25T16:22:35.649Z" } ], "previousAttempts": [ { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/320f341f-050b-4351-9585-5f16dba6667c" } }, "id": "320f341f-050b-4351-9585-5f16dba6667c", "type": "GOVERNMENT_ID", "createdAt": "2022-02-23T15:51:01.603Z", "retry": { "attempt": 1 } }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/ce0bb6d8-82d5-4ad0-b348-e7fb97edc64f" } }, "id": "ce0bb6d8-82d5-4ad0-b348-e7fb97edc64f", "type": "SELFIE", "createdAt": "2022-02-25T16:22:35.649Z", "retry": { "attempt": 1 } }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/639116d2-c1ff-44f3-bdba-af7e1e1d0bdd" } }, "id": "639116d2-c1ff-44f3-bdba-af7e1e1d0bdd", "type": "BACK_IMAGE", "createdAt": "2022-02-25T16:22:35.649Z", "retry": { "attempt": 1 } }, { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/92faff31-02c5-43af-b09a-c7eac93c59a4" } }, "id": "92faff31-02c5-43af-b09a-c7eac93c59a4", "type": "FRONT_IMAGE", "createdAt": "2022-02-25T16:22:35.649Z", "retry": { "attempt": 1 } } ] }, "size": 7 } Map getVerifiedDataByType(String transactionId, String type)-
For up to 30 minutes after a PingOne Verify decision you can retrieve information about a specified type of data obtained by all the verification service providers during the specified transaction.
Use the
typeparameter to specify which type of personally identifiable information (PII) to retrieve.Available options are:
-
GOVERNMENT_ID -
BARCODE -
FRONT_IMAGE -
BACK_IMAGE -
SELFIE -
CROPPED_SIGNATURE -
CROPPED_DOCUMENT -
CROPPED_PORTRAIT -
VOICE_SAMPLE -
VOICE_INPUT -
END_USER_CLIENT -
BIOGRAPHIC_MATCH
Returns a map containing information about the data returned from the verification service used, or
nullif the specified transaction is not available.This method only lists the ID and type of verified data available, as the actual data could be large binary files such as images.
Use the
getVerifiedData()method to get the actual verified data. -
Map getVerifiedData(String transactionId, String verifiedDataId)-
For up to 30 minutes after a PingOne Verify decision you can retrieve the actual data the verification service obtained during the specified transaction.
Returns a map containing verified data returned from a verification service used, or
nullif the specified transaction or verified data ID are not available.To obtain the
verifiedDataIdparameter, use thegetAllVerifiedData()orgetVerifiedDataByType()methods.View example return data
{ "_links":{ "self":{ "href":"https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b/verifiedData/34613a50-672c-428f-8db9-c67fe09fc4cc" }, "environment":{ "href":"https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "user":{ "href":"https://api.pingone.com/v1/users/a27dec16-1e80-4f10-a261-2cac46a12b78" }, "transaction":{ "href":"https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/a27dec16-1e80-4f10-a261-2cac46a12b78/verifyTransactions/0e2ed48f-6c3a-46c4-bcb5-3a6bd791348b" } }, "id":"84170421-62c6-49a5-b343-496bee93c206", "type":"GOVERNMENT_ID", "createdAt":"2022-02-23T15:51:01.603Z", "data":{ "addressCity":"this city", "addressState":"this state", "addressZip":"11111", "birthDate":"1970-01-01", "country":"USA", "expirationDate":"1970-01-01", "firstName":"given", "gender":"", "idNumber":"11111", "issueDate":"1970-01-01", "issuingCountry":"", "lastName":"surname", "nationality":"", "weight":"" }, "retry":{ "attempt":1 } } Map getUser()-
Retrieve the user’s profile information from PingOne.
Returns a map containing user profile data from PingOne, or
nullif profile data is not available.View example return data
{ "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "population": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/populations/706ff5fd-c2bc-4c2d-9037-bfa39112a651" }, "devices": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/devices" }, "roleAssignments": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/roleAssignments" }, "password": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/password" }, "password.reset": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/password" }, "password.set": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/password" }, "password.check": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/password" }, "password.recover": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/password" }, "linkedAccounts": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/linkedAccounts" }, "account.sendVerificationCode": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5" } }, "_embedded": { "population": { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/populations/706ff5fd-c2bc-4c2d-9037-bfa39112a651" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" } }, "id": "706ff5fd-c2bc-4c2d-9037-bfa39112a651" } }, "id": "2f9c3699-217e-4acb-9e80-9649311b3eb5", "environment": { "id": "abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "population": { "id": "706ff5fd-c2bc-4c2d-9037-bfa39112a651" }, "createdAt": "2020-03-11T18:50:09.074Z", "enabled": true, "lifecycle": { "status": "ACCOUNT_OK" }, "mfaEnabled": false, "updatedAt": "2020-03-11T18:50:09.074Z", "username": "jamesjoyce" } Map updateUser(Map body)-
Update the user’s profile information in PingOne.
Specify the new data to use in the
bodyparameter.Returns a map containing the updated user profile data from PingOne.
View example
bodyparameter{ "username": "joe@example.com", "name": { "formatted": "Joe Smith", "given": "Joe", "middle": "H.", "family": "Smith", "honorificPrefix": "Dr.", "honorificSuffix": "IV" }, "nickname": "Putty", "title": "Senior Director", "preferredLanguage": "en-gb;q=0.8, en;q=0.7", "locale": "en-gb", "email": "joe@example.com", "primaryPhone": "+1.2225554444", "mobilePhone": "+1.4445552222", "photo": { "href": "https://images.example.com?imgID=1255123412" }, "address": { "streetAddress": "123 Main Street", "locality": "Springfield", "region": "WA", "postalCode": "98701", "countryCode": "US" }, "accountId": "5", "type": "tele", "timezone": "America/Los_Angeles" } Void deleteUser()-
Delete the user’s profile information from PingOne.
Throws a
ScriptedVerifyTransactionsExceptionif unable to delete the user from PingOne.View example return data
{ "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "population": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/populations/706ff5fd-c2bc-4c2d-9037-bfa39112a651" }, "devices": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/devices" }, "roleAssignments": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/roleAssignments" }, "password": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/password" }, "password.reset": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/password" }, "password.set": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/password" }, "password.check": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/password" }, "password.recover": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/password" }, "linkedAccounts": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5/linkedAccounts" }, "account.sendVerificationCode": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/users/2f9c3699-217e-4acb-9e80-9649311b3eb5" } }, "_embedded": { "population": { "_links": { "self": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/populations/706ff5fd-c2bc-4c2d-9037-bfa39112a651" }, "environment": { "href": "https://api.pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" } }, "id": "706ff5fd-c2bc-4c2d-9037-bfa39112a651" } }, "id": "2f9c3699-217e-4acb-9e80-9649311b3eb5", "environment": { "id": "abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "population": { "id": "706ff5fd-c2bc-4c2d-9037-bfa39112a651" }, "createdAt": "2020-03-11T18:50:09.074Z", "enabled": true, "lifecycle": { "status": "ACCOUNT_OK" }, "mfaEnabled": false, "updatedAt": "2020-03-11T18:50:09.074Z", "username": "jamesjoyce" }