Scriptable Validator plugin

The Scriptable Validator plugin is used to validate user data during the user self-registration flow. It enables more complex validation logic than the default built-in validators (for example, string regex, email address, or phone number validators).

A possible use case for the Scriptable Validator is delegating user data validation to other internal systems. For example, newly entered user data can be compared with data stored elsewhere in your network. This requires REST-capable libraries such as lua-curl.

 
Risk

Incubating feature

The Scriptable Validator is an incubating feature. It is intended to gather experience with this type of customization capability and to improve the functionality in future versions of Airlock IAM. The provided plugin and the underlying architecture may change fundamentally and without further notice in future releases of IAM.

If the built-in validator plugins are sufficient for your use case, always use them instead of the Scriptable Validator. Integrated validators usually offer better performance and reduce the risk of implementation errors that can occur in custom scripts.

Input handling

Be aware that the Scriptable Validator does not sanitize user data before forwarding it to the Lua process or to the Lua logging environment. Therefore, always treat end user-provided data as untrusted and sanitize the data before using it.

You configure the Scriptable Validator plugin directly in the User Data Registration Step plugin.

Writing Lua scripts for the Scriptable Validator

The Scriptable Validator receives user input as key/value maps, evaluates them in a Lua script, and can return validation errors that are rendered directly in the UI.

The following sections of this article explain how to configure Lua scripts in the Scriptable Validator plugin. This includes:

  • How to specify/configure the key/value pairs used by the validator as input for the validation script. See Script input.
  • How to specify/configure the error messages triggered by the validator after executing your validation script on the input. Airlock IAM provides utility functions to write the error messages. See Script output.

For more information on Lua itself, see The Programming Language Lua.

The Scriptable Validator plugin is configured directly in the User Data Registration Step plugin. The following configuration properties/fields are available in the Scriptable Validator plugin:

Property

Mandatory

Description

Additional Inputs

optional

Defines a list of value map providers that provide additional input to the script beyond those provided by default.

See below for more details on the Scriptable Validator's input.

Script

mandatory

Defines the Lua script run by the Scriptable Validator when a user submits the self-registration form.

Each script must define the following function:

function iam_on_user_validation ()
    return <output_map>
end

The iam_on_user_validation () function is called by IAM when starting the execution of the validator script.

Input Secrets

optional

Defines a list of static secret values, passed in plaintext as environment variables to the validator.

Secrets must be handled with care, e.g., they must never be passed on to a logger.

The Scriptable Validator does not require an output declaration; the validation errors returned by the validator follow a predefined format. Also, the output values are consumed directly and not stored within the flow session. See the Script output section further below for more details on the validator's output.

The validator is executed in the following situations:

  • When the end-user initializes the User Data Registration Step by starting a self-registration flow.
  • When IAM sends a POST request to the info retrieval endpoint /public/user-self-registration/registration/info/retrieve.
  • When IAM sends a POST request to the data registration endpoint /public/user-self-registration/registration/data.
  • When IAM sends a POST request to the validation endpoint /public/user-self-registration/registration/validate.
  • When IAM sends a POST request to the continue endpoint /public/user-self-registration/registration/continue.

Validation occurs each time IAM sends a request to one of the endpoints listed above, to determine the next step in the flow. Refer to the IAM Plugin Docs for further details.

As a result, the validator script may run multiple times during a single self-registration flow. During step initialization, it is executed before any user input is provided, meaning the script input is empty—even if UI fields are marked as required.

Custom validation scripts must account for this behavior.

Script input

All key/value pairs relevant for the self-registration process are stored in the Lua table iam.input_map - the Scriptable Validator accesses this table to get the input for the script.

The iam.input_map table provides three types of input data:

  • iam.input_map.user_data: Includes basic user registration data, such as the username and the password. This input map is provided by default. For technical details, see further below.
  • iam.input_map.context_data: Includes user context data specified during self-registration, such as the end-user's first and last name, home town, date of birth, and so on. This input map is provided by default. For technical details, see further below.
  • iam.input_map.additional_data: Provides additional input beyond those provided by default during the end-user registration flow, such as mTAN label and number. You must define the corresponding value map providers in the Additional Inputs property of the Scriptable Validator plugin (see above). For technical details, see further below.

user_data input map - technical details

The following table lists the available keys and their possible values for the iam.input_map.user_data input data map. Note that some values are not entered in the self-registration UI but are automatically provided to the end-user by preceding flow steps.

If an end-user does not specify a value during registration, the corresponding key-value pair will not be present in the map. Therefore, always verify that an entry exists before operating on it.

Keys

Value

Value type

Corresponding plugin(s) in the Config Editor

username

The username entered by the user during the registration.

String

Username User Item

Alias User Item

password

The password entered by the user.

String

Password User Item

auth_method

The current authentication method of the user.

String

next_auth_method

The authentication method the user will migrate to.

String

auth_migration_date

The date until which the user has to migrate.

Date string, in the form yyyy-MM-dd

roles

A list of maps, each of which describes a role assigned to the user. Each entry can contain the following key-value pairs:

List

name:

Identifier of the role

String

lifetime:

Lifetime of the role (in seconds)

Integer

idle_timeout:

Idle timeout defined for the role (in seconds)

Integer

context_data input map - technical details

All user context data specified during your user self-registration flow, such as home town or date of birth, is provided as iam.input_map.context_data input data to your validation script.

User context data fields are defined with the User Context Data Item plugin. There are several types of user context data item plugins, for the different types of context data:

  • Boolean User Context Data Item
  • Date and Time User Context Data Item
  • Date User Context Data Item
  • Enumeration User Context Data Item
  • String User Context Data Item

The key of a specific user context data is the corresponding name of the context data field under which the data value is stored. For example, for the “Date of birth” context data item, the key may be birthday. This key is defined in the Context Data Name property of the corresponding User Context Data Item plugin.

As noted previously, keys may be absent if no value was provided.

additional_data input map - technical details

The iam.input_map.additional_data input data map provides additional script input that is not available by default during the end-user registration flow. To use it, you must explicitly configure additional value map providers in the Additional Inputs property of the Scriptable Validator.

Use case: mTAN user input data

mTAN user data is not provided by default. If you need to validate the end-user’s mTAN number (mobile phone number) or label, you must configure the corresponding mTAN value map provider in the Additional Inputs field.

First, select the Value Provider Map plugin in the Additional Inputs field. Then configure the plugin according to the mTAN data required by your script. The following table describes the available options.

Note: Value providers must be set to “non-mandatory”, as the values are initially empty.

mTAN data to use in script

Value provider

Key

mTAN number

mTAN Registration Number Provider

Provides the mTAN number stored during mTAN-number-registration for a specific end-user.

The mTAN number is registered using the mTAN Number Item Definition plugin. Ensure that the key used in your script matches the Key property configured in the mTAN Number Item Definition plugin.

mTAN label

mTAN Registration Label Provider

Provides the mTAN label stored during mTAN number registration for a specific end-user.

The mTAN label is registered using the mTAN Label Item Definition plugin. Ensure that the key used in your script matches the Key property configured in the mTAN Label Item Definition plugin.

Sample script input

The following code snippet provides a sample script input (displayed as JSON):

 
Example
{
    -- All user data that does not fall under context data, such as username and password.
    -- If the user data is not defined at the time the script is run, the key-value pair will not exist in the input map.

    "user_data":
    {
        "username": "bob",
        "password": "hunter123",
        "auth_method": "password",
        "next_auth_method": "mtan",
        "auth_migration_date": "2026-10-24",        
        "roles":
        [
        {
            "name": "customer",
            "lifetime": 86400,
            "idle_timeout": 360
        }, ...
        ]
    },
    
    -- All provided context data of the user. If context data has not been specified, the entry will not exist in the map.

    "context_data": 
    { 
        "town": "Zürich",
        "birthdate": "1980-12-20"
    },

    -- Any additional data provided by the configured value provider maps.

    "additional_data": { ... }
}

Script output

The Scriptable Validator validates user input provided during the user self-registration process. If a specific input element is not valid, the validator will trigger error messages on the user self-registration page.

There are two types of validation error messages:

  • Alerts: Error messages displayed on top of the self-registration UI page as an alert.
  • Field-specific errors: Error messages displayed under a specific input field in the self-registration UI.
 
Notice

Within the same Scriptable Validator, the two types of errors cannot be combined – only either an alert, or field errors may be displayed at the same time. Moreover, only at most one alert may be displayed at the same time.

To trigger the correct error messages, your script must include an errors map listing the possible validation errors. This map follows a predefined structure, as shown in the following code snippet:

 
Example
{
"errors":
[
    {
        "type": "<typeNameA>",
	"field": "<fieldNameA>",
        "parameters": { "param1A": "<param1A>", "param2B": "<param2B>", ... }
    },
    ...
]
}

Utility functions

You do not have to manually construct the errors map: Airlock IAM provides a number of utility functions that facilitate the creation of a validation errors list.

The utility functions are API and perform additional validation on the inputs. We highly recommend using them in place of constructing the errors output manually.

The following utility functions are available:

  • iam.validator:valid() – Represents a validation result without errors.
    • This is an empty table, returned to make clear that the script produced a valid result.
  • iam.validator:invalid(...) – Represents a validation result that contains errors. Takes as input a comma separated list of validation errors.
  • iam.validator:error(type, field, parameters) – Represents a field-specific validation error message.
    • type: Type of validation error. For more details, see the following table.
    • field: The identifier of the entry field under which the error should be displayed. For more details, see the following table.
    • parameters: An optional map of additional parameters. For more details, see the following table.
  • iam.validator:alert(type, parameters) – Represents a validation error message displayed as an alert.
    • type: Type of validation error. For more details, see the following table.
    • parameters: An optional map of additional parameters. For more details, see the following table.

Parameter

Description

Example values

Value type

Required?

type

The kind of error message to display. It corresponds to the <error-type> segment of the translation key error.validation-failed.<error-type> in the .properties translation file.

The .properties translation files contain all translation keys with default reference translations for all languages provided. The error messages shown on the self-registration pages are taken from these .properties translation files.

You can download the .properties files from here: Changing UI texts and translations with the Loginapp Design Kit.

Note: It is also possible to define custom validation error messages. For further details, see Custom errors .

  • wrong-format
  • min-length
  • max-length

String

Yes

field

The identifier of the entry field under which the error should be displayed. The identifier corresponds to the key defined in the relevant user data item plugin.

Note: For the Username User Item and Password User Item plugins, the field name is predefined as username and password, respectively.

  • birthday
  • town

String

Depends: For field-specific error messages that are displayed under a specific input field in the self-registration UI, the field value must be set.

However, for alert messages displayed on top of the UI page, the field value must be empty.

parameters

Some translation keys include an additional parameter in the translation text. For example, {{requiredLength}} in

error.validation-failed.min-length = At least {{requiredLength}} characters are required

The parameters map allows you to define key/value pairs that replace the parameter in the translation text.

{“requiredLength” = “8”}

Note: If the parameter name contains a hyphen, it must be written in square brackets: {[“max-date”] = “2008-01-01”}

String

No

The table below lists all available error type translation keys, their corresponding English translations, and any parameters that can be included in the texts, if applicable.

Translation key

Alternative notation

English translation

Parameter

required

REQUIRED

“A value is required”

-

invalid-value

INVALID_VALUE

“Invalid value”

-

checked-expected

CHECKED_EXPECTED

“The checkbox must be checked”

-

checked-expected

UNCHECKED_EXPECTED

“The checkbox must not be checked”

-

wrong-format

WRONG_FORMAT

“The format is not valid”

-

invalid-phone-number

INVALID_PHONE_NUMBER

“This is not a valid phone number”

-

invalid-email

INVALID_EMAIL

“This is not a valid email address”

-

min-length

MIN_LENGTH

“At least requiredLength characters are required”

requiredLength

max-length

MAX_LENGTH

“At most requiredLength characters are allowed”

requiredLength

before-min-date

BEFORE_MIN_DATE

“This date may be no earlier than min-date

min-date

before-max-date

BEFORE_MAX_DATE

“This date may be no later than max-date

max-date

not-unique

NOT_UNIQUE

“This value is already used”

-

not-identical

NOT_IDENTICAL

“The confirmation does not match”

-

conflict

CONFLICT

“This value is already used”

-

size

SIZE

“Invalid length”

-

Some example scripts with utility functions

Sample script 1 - validation without errors

 
Example
function iam_on_user_validation ()
        return iam.validator:valid()
end

Sample script 2 - validation with errors

 
Example
function iam_on_user_validation ()
        return iam.validator:invalid(
            iam.validator:error("max-length", "username", {"requiredLength" = "16"}),
            iam.validator:error("min-length", "password", {"requiredLength" = "8"}),
            iam.validator:error("after_max_date", "birthdate", {["max-date"] = "2008-01-01"}),           
            iam.validator:error("not-identical", "password_confirmation"))
end

where:

  • iam.validator:error(“max-length”, “username”, {requiredLength = “16”}) results in the field-specific error message At most 16 characters are allowed.
    This message appears under the Username field in the self-registration UI, when the end-user enters a username containing more than 16 characters.
  • iam.validator:error(“min-length”, “password”, {requiredLength = “8”}) results in the field-specific error message At least 8 characters are required.
    This message appears under the Password field in the self-registration UI, when the end-user enters a password containing less than 8 characters.
  • iam.validator:error(“after_max_date”, “birthdate”, {[“max-date”] = “2008-01-01”}) results in the field-specific error message This date may be no later than 2008-01-01.
    This message appears under the Date of birth field, when the end-user enters a birth date later than 2008-01-01. This validation may be relevant when an application restricts access based on a minimum age.
  •  
    Notice

    If the parameter name contains a hyphen, it must be written in square brackets: {[“max-date”] = “2008-01-01”}

  • iam.validator:error(“not-identical”, “password_confirmation”) results in the field-specific error message The confirmation does not match.
    This message appears under the Password Confirmation field, when the confirmation password entered by the end-user does not match the initially entered new password.

Custom errors

The Scriptable Validator also allows defining custom validation error messages, whose content differs from the predefined validation error messages in the .properties translation files.

Proceed as follows:

  1. Use custom-script-error as error type. For example:
  2.  
    Example
    iam.validator:error("custom-script-error", "birthdate", {custom-param = "some-value-123"})
  3. Specify a corresponding error.validation-failed.custom-script-error key with custom error text in the relevant .properties translations file. For example:
  4.  
    Example
    error.validation-failed.custom-script-error = Custom Error with Parameter Value "{{custom-param}}"
  5. This results in the error message "Custom Error with Parameter Value “some-value-123” displayed under the Date of birth field in the self-registration UI.