OGNL script in PingFederate for allowing different OAuth scopes depending on groupmembership

When configuring OAuth 2.0 in PingFederate you can by issuance criteria demand that a user must be a member of an LDAP group to be able to get a OAuth 2.0 token. But in some cases you have a mobile application with several scopes. And in some of those cases you do not want to give access to all scopes to all users in one group. So here is a little OGNL sample on how to give access to different scopes depending on groupmember ship in LDAP.


#this.get("context.OAuthScopes").toString().matches("(?i).*scope1*")?#this.get("ds.LDAPSTORE.memberOf").toString().matches("(?i).*CN=scope1group,OU=groups,O=ldap.*")?@java.lang.Boolean@TRUE:@java.lang.Boolean@FALSE:#this.get("context.OAuthScopes").toString().matches("(?i).*scope2*")?#this.get("ds.LDAPSTORE.memberOf").toString().matches("(?i).*CN=scope2group,OU=groups,O=ldap.*")?@java.lang.Boolean@TRUE:@java.lang.Boolean@FALSE:@java.lang.Boolean@FALSE

Hopefully this is useful for someone out there!