PingOne Advanced Identity Cloud

User info claims scripting API

The following bindings are available to OIDC claims scripts:

This script is a legacy script and therefore has access to all the legacy common bindings in addition to those described here.
Binding Information

claims

An object (map) of the default OIDC claims Advanced Identity Cloud provides.

The keys are the claim strings. The values are the claim value objects.

claimLocales

An array of string values from the claims_locales parameter.

Find more information in Claims Languages and Scripts in the OpenID Connect Core 1.0 specification.

claimObjects

The default OIDC claims Advanced Identity Cloud provides.

An array of claim objects.

clientProperties

A read-only object (map) of the following client properties. This is present if Advanced Identity Cloud identified the client specified in the request.

allowedGrantTypes

List of the grant types allowed for the client. Find more information in the Javadoc for GrantType.

allowedResponseTypes

The list of the allowed response types for the client.

allowedScopes

The list of the allowed scopes for the client.

clientId

The client’s URI for the request locale.

customProperties

A map of any custom properties added to the client.

These properties can include lists or maps as sub-maps. For example, the script includes customMap[Key1]=Value1 as customMap > Key1 > Value1 in the object.

To add custom properties to a client, go to Native Consoles > Access Management > OAuth 2.0 > Clients > Client ID > Advanced and update the Custom Properties field.

Scripts access the custom properties in the following way:

var customProperties = clientProperties.get("customProperties");
var property = customProperties.get("myProperty");

identity

An identity Advanced Identity Cloud can access.

Find more information in AMIdentity.

requestedClaims

An object (map) of requested claims. This is empty unless the request includes the claims query string parameter and Advanced Identity Cloud is configured to support its use.

Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Advanced OpenID Connect. Enable Enable "claims_parameter_supported" and save your change.

Find more information about the claims query string parameter in Requesting Claims using the "claims" Request Parameter in the OpenID Connect Core 1.0 specification.

requestedTypedClaims

An array of the requested claims objects. This is empty unless the request includes claims.

A claim with a single value means the script should return only that value.

requestProperties

A read-only object (map) of the following request properties.

requestUri

The URI as a string.

realm

The realm as a string.

requestParams

A map of request parameters and posted data, where each value is an array of parameters.

To mitigate the risk of reflection-type attacks, use OWASP best practices when handling these parameters. Refer to Unsafe use of Reflection.
requestHeaders

The value of the named request header. Returns a map of <String, List<String>> as a native JavaScript object, for example:

var ipAddress = requestProperties.requestHeaders["X-Forwarded-For"][0]

Header names are case-sensitive.

scopes

The set of scope strings in the client request.

session

The user’s session object.

Find more information in SSOToken.