Ping Identity PT-AM-CPE Exam - Topic 2 Question 7 Discussion

In PingAM 8.0.2, the OAuth 2.0 Token Exchange (RFC 8693) implementation allows for complex identity delegation scenarios. The may_act claim is a specific claim used to indicate that one entity is authorized to act on behalf of another. When customizing the behavior of token exchange via the OAuth2 Token Exchange Script, developers interact with specific scriptable objects provided by the PingAM engine.

According to the 'Scripting API' for OAuth2 and the 'Token Exchange' developer guide, the requestedToken object is the primary interface used to modify the structure of the token being issued during the exchange. To insert the may_act claim, the API provides the addMayAct() method.

The may_act claim is technically a JSON object that contains a sub (subject) claim of the entity that is allowed to act as the subject of the token. In the scripting environment:

The requestedToken variable represents the token currently being minted.

The .addMayAct() method is the defined function signature to append this delegation metadata.

Why other options are incorrect:

Options A and D: The object name token is not the standard binding used for the target token in the Token Exchange script context; requestedToken is the correct binding.

Option C: The method name setMayAct is incorrect. The PingAM API uses the add prefix for these types of claims (similar to addActor), reflecting the underlying structure where these claims are added to the claim set of the JWT.

Using the correct syntax requestedToken.addMayAct(mayAct) ensures that the resulting Access Token or ID Token contains the correctly formatted delegation information required by resource servers to validate that the 'Actor' has the permission to represent the 'Subject.'