Script Examples¶
Overview¶
JustIAM supports Go scripts (executed via Yaegi) in four contexts:
| Context | Package | Entry point | Docs |
|---|---|---|---|
| Post-render scripts | package claim |
Evaluate() (map[string]interface{}, error) |
Post-render Scripts |
| MFA selector scripts | package claim |
Evaluate() (string, error) |
MFA Selector Script |
| Scheduled tasks | package main |
main() |
Scheduled Tasks |
| Event action tasks | package main |
main() (triggered by events) |
Integrations |
All example scripts are available in the yaegi/scripts/ directory.
Post-render scripts¶
Modify OIDC claims or SAML attributes during login. Can also deny access.
| Script | Description |
|---|---|
inject_user_attributes.go |
Copy custom user attributes into ID token claims |
group_based_roles.go |
Map group memberships to a roles array claim |
deny_outside_business_hours.go |
Restrict app access to weekday business hours |
enrich_from_external_api.go |
Fetch user metadata from an external API and inject as claims |
ip_allowlist.go |
Deny access from IPs outside an approved CIDR list |
MFA selector scripts¶
Dynamically set MFA requirements per user per application.
| Script | Description |
|---|---|
require_passkey_for_admins.go |
Require passkey for admin users, optional for everyone else |
network_based_mfa.go |
Require strong MFA from untrusted networks |
progressive_mfa_by_role.go |
Layer MFA requirements by group with custom re-auth intervals |
attribute_based_mfa.go |
Set MFA policy from user attributes (security_level, employment_type) |
Scheduled task scripts¶
Run on a cron schedule for maintenance, sync, and reporting.
| Script | Description |
|---|---|
github_team_sync.go |
Full GitHub team/member sync via GitHub App JWT auth |
deactivate_inactive_users.go |
Deactivate users who haven't logged in within N days |
export_user_report.go |
Export active user report to a webhook (compliance/SIEM) |
rotate_app_secrets.go |
Auto-rotate OIDC client secrets and notify a vault |
ldap_user_sync.go |
Sync users from LDAP/AD into JustIAM |
Event action scripts (trigger tasks)¶
Triggered by JustIAM events (user.created, login.failed, etc.) via the Integrations event action system.
| Script | Description |
|---|---|
access_request_event_logger.go |
Log all access request lifecycle events |
proxy_session_ended.go |
Handle proxy session end events (optional user deactivation) |
user_created_directory_sync.go |
Sync new users to an external directory API |
login_failed_slack_alert.go |
Send Slack alerts on login failures |
user_created_auto_group.go |
Auto-assign groups by email domain on user creation |
Writing your own scripts¶
Post-render / MFA selector scripts¶
package claim
func Evaluate() (map[string]interface{}, error) {
// Available packages: user, claims, request, secrets, idp, fmt, strings, ...
return map[string]interface{}{
"custom_claim": "value",
}, nil
}
Scheduled / event action task scripts¶
package main
func main() {
// Available packages: config, secrets, idp, fetch, fmt, strings, ...
value := config.Get("my_key")
secret := secrets.Get("api_token")
fmt.Println("Task executed")
}
See the individual feature docs for the complete list of injected packages and allowed stdlib imports.