Configuring access token fulfillment
On the Contract Fulfillment tab, map values into the token attribute contract to be included or referenced in the access token.
Steps
-
Choose a source from the Source list, and then select a value from the Value list for each attribute in the contract, or enter your own.
Map each attribute from one of the following sources:
-
Client Credentials, IdP Adapter, IdP Connection, Password Credential Validator, or Token Exchange Processor Policy
Depending on the selections under Context in the Access Token Attribute Mapping tab, you can map attributes from that specific authentication system. Select the corresponding context under Source and the desired attribute under Value.
-
Persistent Grant
When selected, the associated Value list is populated with the
USER_KEY
and extended attributes from the persistent access-token grant. -
Context
Values are returned from the context of the transaction at runtime.
The HTTP Request context value is retrieved as a Java object rather than text. For this reason, OGNL expressions are preferred to evaluate and return values.
Select Expression under Source, and then click Edit to enter an expression.
The HTTP Request Java object retrieves the authentication method that a client uses, or the private key JWT for client authentication if the client uses the private_key_jwt authentication method.
For sample expressions, see Expressions for OAuth and OpenID Connect uses cases.
If the Expression selection is not available, you can enable it by editing the
org.sourceid.common.ExpressionManager.xml
file in the<pf_install>/pingfederate/server/default/data/config-store
directory. -
Extended Client Metadata
Values are returned from the client record.
-
LDAP/JDBC/Other
Values are returned from your datastore, if used. When you make this selection, the Value list populates with attributes from the datastore.
-
Expression
When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.
-
No Mapping
This option ignores the Value field, causing no value selection to be necessary.
-
Text
The value is what you enter. This can be text only, or you can mix text with references to the
USER_KEY
using the${USER_KEY}
syntax.When applicable, you can also enter values from your datastore using the
$\{ds.attribute}
syntax, whereattribute
is any of the datastore attributes you have selected.You can reference attribute values in the form of
$\{attributeName:-defaultValue}
. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use$\{
and}
in the default value.
-
-
Click Next.