Category / Section
Dynamic scope operation example
Published:
4 mins read
Dynamic Scope Script Example
Introduction
This dynamic scope script, is designed for Gluu Server 4.5 to dynamically issue a claim based on the various custom logic.
As for example in this doc we are working with one dynamic scope named customGluuDynScope which calculating a custom logic and created values for a claim; also it’s releasing this claim into token payload.
It distinguishes users as follows:
- Internal Users: If the user’s email domain is
gluu.org, they will receive acustomGluuDynScopevalue ofGLUU\user_name. - External Users: For all other email domains, the value will be
EXTERNAL\user_name.
This logic helps applications recognize internal vs external users at runtime via OpenID Connect tokens.
Script Source
from org.gluu.model.custom.script.type.scope import DynamicScopeType
from org.gluu.service.cdi.util import CdiUtil
from org.gluu.oxauth.service import UserService
from java.util import Arrays
class DynamicScope(DynamicScopeType):
def __init__(self, currentTimeMillis):
self.currentTimeMillis = currentTimeMillis
def init(self, customScript, configurationAttributes):
print "customGluuDynScope. Initialization"
return True
def destroy(self, configurationAttributes):
print "customGluuDynScope. Destroy"
return True
def getApiVersion(self):
return 11
def getSupportedClaims(self, configurationAttributes):
return Arrays.asList(
"customGluuDynScope",
"user_name",
"email",
"given_name",
"family_name"
)
def update(self, dynamicScopeContext, configurationAttributes):
print "customGluuDynScope. Update method"
user = dynamicScopeContext.getUser()
if user is None:
print "customGluuDynScope. No user found"
return None
userService = CdiUtil.bean(UserService)
user_name = user.getUserId()
email_attr = userService.getCustomAttribute(user, "mail")
if email_attr is None:
print "customGluuDynScope. No email found for user"
return None
email = email_attr.getValue()
email_domain = email.split("@")[-1].lower()
if email_domain == "gluu.org":
gluu_value = "GLUU\\{}".format(user_name)
print "customGluuDynScope. GLUU internal user: {}".format(gluu_value)
else:
gluu_value = "EXTERNAL\\{}".format(user_name)
print "customGluuDynScope. External user: {}".format(gluu_value)
claims = dynamicScopeContext.getJsonWebResponse().getClaims()
claims.setClaim("customGluuDynScope", gluu_value)
attr_map = {
"uid": "user_name",
"mail": "email",
"givenName": "given_name",
"sn": "family_name"
}
for ldap_attr, claim_name in attr_map.items():
attr = userService.getCustomAttribute(user, ldap_attr)
if attr is not None:
claims.setClaim(claim_name, attr.getValue())
print "customGluuDynScope. Final claims: {}".format(claims.toMap())
return None
How to Configure in Gluu Server
Step 1: Upload the Script
- Login to oxTrust (Gluu Admin UI)
- Navigate to:
Configuration > Other Custom Scripts > Dynamic Scopes > Add custom script configuration - Click Add Script
- Set the script type to
Dynamic Scope - Paste the script from above
- Enable the script using the checkbox
- Click Save
Step 2: Create the Dynamic Scope
-
Navigate to:
OpenID Connect > Scopes -
Click Add Scope
-
Use the following configuration:
Field Value Display Name customGluuDynScopeScope Type DynamicInclude in ID Token ✅ (enabled) Dynamic Script (select the uploaded script) -
Click Add or Update to save the scope.
Step 3: Create a new client for Postman
- ClientID:
- Client Secret:
- Client Name: Postman Test Client
- Client Description: Postman test client
- Redirect Login URIs:
https://oauth.pstmn.io/v1/callback - Scopes:
openid customGluuDynScope user_name profile email - Response Type:
code - Pre-Authorization:
true - Persist Client Authorization:
true - Application Type:
Web - Subject Type:
pairwise - Authentication method for the Token Endpoint:
client_secret_basic - Grant Type:
authorization_code - Encrypttion/Signing settings: JWS alg Algorithm for signing the ID Token:
RS256
Hit Update
Step 4: Assign Scope to a Client
- Go to:
OpenID Connect > Clients - Select your desired client (e.g., Postman Test Client)
- In the Scopes section:
- Add:
customGluuDynScopealong with any other scopes.
- Add:
- Save the client configuration.
Testing the Scope
Using Postman
- Use OAuth 2.0 Authorization Code flow in Postman
- Scroll down to “Configure New Token”
- Token Name: gluu-Token
- Grant Type: Authorization code
- Callback URL:
https://oauth.pstmn.io/v1/callback - Auth URL:
https://<your-gluu-host>/oxauth/restv1/authorize - Access Token URL:
https://<your-gluu-host>/oxauth/restv1/token - Client ID: Get clientID from “Postman Test Client”
- Client Secret: Get Client secret from “Postman Test Client”
- Scope:
openid customGluuDynScope user_name profile email - State:
xyz123 - Hit “Get New Access Token”
3 Retrieve the Access Token and use it in a GET request:
GET https://<your-gluu-host>/oxauth/restv1/userinfo
Authorization: Bearer <access_token>
Expected Result
If user’s email is abc@gluu.org:
"customGluuDynScope": "GLUU\abc"
If user’s email is xyz@gmail.com:
"customGluuDynScope": "EXTERNAL\xyz"
Other included claims:
"user_name": "abc",
"email": "abc@gluu.org",
"given_name": "ABC",
"family_name": "Gluu"
Summary
The customGluuDynScope dynamic scope intelligently distinguishes users based on email domain and issues a custom claim accordingly. It integrates seamlessly with Gluu’s OIDC token issuance and provides identity-aware logic for downstream applications.
