The OAuth2 May Act script type in PingAM 8.0.2 allows administrators to programmatically determine if a token exchange request (impersonation or delegation) should be allowed by adding a may_act claim to the token.
According to the "Scripting" and "Token Exchange Scripting API" documentation, when this script is executed, the AM engine provides a specific set of "Bindings" or variables. These allow the script to inspect the context of the request before deciding to modify the token. The documented variables for theOAuth2 May Actscript are:
clientProperties: A map of the OAuth2 client's configuration properties.
identity: The identity object for the user/subject.
logger: The logging object for debugging within the script.
requestProperties: Properties of the incoming HTTP request.
scopes: The set of scopes requested or associated with the token.
scriptName: The name of the script being executed.
session: The user's SSO session (if available).
requestedToken: This is the most important variable; it represents the token being issued. Methods like .addMayAct() or .setMayAct() are called on this specific object.
Why other options are incorrect:
Option Bcorrectly lists the bindings.
Options A and Dare incorrect because they use the variable name token. While token is a common variable name inotherOAuth2 script types (like the Access Token Modification script), the Token Exchange script specifically usesrequestedTokento distinguish the new token from the subject_token or actor_token provided in the request.
Option Cuses scopeList, which is not the standard variable name for the scopes in this specific script context; the documentation defines it asscopes.
