PingOne Advanced Identity Cloud

Customize OAuth 2.0 using JavaScript extensions

Advanced Identity Cloud lets you script extensions in JavaScript to customize OAuth 2.0 authorization server functionality, such as modifying access tokens or customizing how Advanced Identity Cloud processes scopes.

Supported extensions

You can create scripts for each of the supported extension points using the Advanced Identity Cloud admin console. The scripts have access to bindings to help you write your customization.

The following table describes the extensible features of an Advanced Identity Cloud OAuth 2.0 authorization server.

Feature Extension options Samples

Access tokens

Modify the OAuth 2.0 access token before the token is persisted or returned to the client.

oauth2-access-token-modification.js

Authorize endpoint data provider

Return additional data from an authorization request.

oauth2-authorize-endpoint-data-provider.js

Scope evaluation

Evaluate and return an OAuth 2.0 access token’s scope information.

oauth2-evaluate-scope.js

Scope validation

Customize the requested scopes for authorization, access token, refresh token, and backchannel authorization requests.

oauth2-validate-scope.js

OIDC claims

Fetch the resource owner’s information based on an issued access token.

oidc-claims-extension.js

Configure the OAuth 2.0 provider to use extensions

After creating a script, configure the OAuth 2.0 provider service to use it:

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Plugins.

  2. For your extension, set the extension type to SCRIPTED and select your script from the appropriate list:

    Extension Extension type setting Script list setting

    Access token modification

    Access Token Modification Plugin Type

    Access Token Modification Script

    Authorize endpoint data provider

    Authorize Endpoint Data Provider Plugin Type

    Authorize Endpoint Data Provider Script

    Scope evaluator

    Scope Evaluation Plugin Type

    Scope Evaluation Provider Script

    Scope validator

    Scope Validation Plugin Type

    Scope Validation Provider Script

    User info claims

    OIDC Claims Plugin Type

    OIDC Claims Script

Learn more about the provider settings in OAuth2 provider plugins.

Override OAuth 2.0 provider extension settings

You can also configure extensions in client profiles that override the settings in the OAuth 2.0 provider.

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID > OAuth2 Provider Overrides.

  2. Select Enable OAuth2 Provider Overrides.

  3. Configure the client overrides in the same way as the provider. Set the extension type to SCRIPTED and select your script from the appropriate list.