In this required configuration, you map attributes to be requested from the OAuth resource server into the access token, the token attribute contract.
When mapping a default context, you define how PingFederate (the OAuth AS) maps values into the attributes based on the persistent-grant USER_KEY and any extended attributes defined on the screen.
When a specific context is selected, you can also map attributes from the selected context, namely the chosen IdP adapter instance, Password Credential Validator instance, authentication policy contract, or IdP connection (with an OAuth attribute mapping configuration or an authentication policy contract mapping configuration) into the access tokens. Additionally, you can configure a mapping for clients using the client credential grant type.
The mapping used at runtime depends on the authentication context of the original grant. If the authentication context results in a match, PingFederate uses that specific mapping; otherwise, it uses the default mapping for the applicable access token manager instance.
The
configuration wizard becomes available only after at least one Access Token Management (ATM) instance has been configured on the screen.