--- title: Configuring access token fulfillment description: On the Contract Fulfillment tab, map values into the token attribute contract to be included or referenced in the access token. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_oauthuserkey2accesstokenmappingtasklet_oauthsource2targetmappingstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_oauthuserkey2accesstokenmappingtasklet_oauthsource2targetmappingstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: steps: Steps --- # Configuring access token fulfillment On the **Contract Fulfillment** tab, map values into the token attribute contract to be included or referenced in the access token. ## Steps 1. Choose a source from the **Source** list, and then select a value from the **Value** list for each attribute in the contract, or enter your own. Map each attribute from one of the following sources: * **Client Credentials**, **IdP Adapter**, **IdP Connection**, **Password Credential Validator**, or **Token Exchange Processor Policy** Depending on the selections under **Context** in the **Access Token Attribute Mapping** tab, you can map attributes from that specific authentication system. Select the corresponding context under **Source** and the desired attribute under **Value**. * **Persistent Grant** When selected, the associated **Value** list is populated with the `USER_KEY` and extended attributes from the persistent access-token grant. * **Context** Values are returned from the context of the transaction at runtime. When client authentication is part of the transaction context, **Client Authentication Type** is available as a context value. You can map this value into the access token contract when you want downstream services to distinguish how the client authenticated. For example, you can map **Client Authentication Type** into an `authn_type` contract attribute for use by resource servers or downstream policy engines. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The **HTTP Request** context value is retrieved as a Java object rather than text. For this reason, OGNL expressions are preferred to evaluate and return values.Select **Expression** under **Source**, and then click **Edit** to enter an expression.The **HTTP Request** Java object retrieves the authentication method that a client uses, or the private key JWT for client authentication if the client uses the `private_key_jwt` authentication method. For sample expressions, see [Expressions for OAuth and OpenID Connect uses cases](pf_express_oauth_openid_connect_uses_cases.html).If the **Expression** selection is not available, you can enable it by editing the `org.sourceid.common.ExpressionManager.xml` file in the `/pingfederate/server/default/data/config-store` directory. | * **Extended Client Metadata** Values are returned from the client record. * **LDAP/JDBC/Other** Values are returned from your datastore, if used. When you make this selection, the Value list populates with attributes from the datastore. * **Expression** When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions. * **No Mapping** This option ignores the **Value** field, causing no value selection to be necessary. * **Text** The value is what you enter. This can be text only, or you can mix text with references to the `USER_KEY` using the `${USER_KEY}` syntax. When applicable, you can also enter values from your datastore using the `$\{ds.attribute}` syntax, where `attribute` is any of the datastore attributes you have selected. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can reference attribute values in the form of `${attributeName:-defaultValue}`. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use `${` and `}` in the default value. | 2. Click **Next**.