PingFederate Server

Defining the access token attribute contract

On the Access Token Attribute Contract tab, define the attribute contract for the access tokens issued by this access token management (ATM) instance.

About this task

You must enter at least one attribute. For auditing purposes, an attribute can be chosen as the subject.

Steps

  1. Go to Applications → OAuth → Access Token Management and select your instance, or click Create New Instance.

  2. On the Access Token Attribute Contract tab use the Extend the Contract field and the Add button to add one or more attributes.

    To always return this array in a token response, select the Multi-Valued check box.

    For JSON web token (JWT) bearer access tokens, you can extend the attribute contract with the following attributes.

    Attribute Description

    iss

    Adds the Issuer claim (iss) to the access token.

    When mapping attribute values from authentication sources to the access tokens issued by this ATM instance, the value specified on the Access Token Attribute Contract tab overrides any Issuer Claim Value defined on the Instance Configuration tab.

    aud

    Adds the Audience claim (aud) to the access token.

    When mapping attribute values from authentication sources to the access tokens issued by this ATM instance, the value you specify on the Access Token Attribute Contract tab overrides any Audience Claim Value defined on the Instance Configuration tab.

    exp

    Extends the value of the Expire claim (exp) by the specified value in minutes.

    Define the Expire claim with the Token Lifetime setting in the Instance Configuration tab.

    The Client ID Claim Name field value, the Scope Claim Name field value, or the Access Grant GUID Claim Name field value defined on the Instance Configuration tab of this ATM instance.

    When mapping attribute values from authentication sources to the access tokens issued by this ATM instance, the values defined in the Access Token Attribute Contract tab override the value of the client ID, the scope, or the persistent access grant GUID.

  3. Select an attribute from the Subject Attribute Name list.

    Result:

    When recording OAuth transactions in the audit log, PingFederate populates the subject field with values from this attribute specifically for token introspection and token validation using the validate_bearer grant type.