In this required configuration, you map attributes to be requested from the OAuth resource server into the access token, the token attribute contract.

When mapping a default context, you define how PingFederate (the OAuth AS) maps values into the attributes based on the persistent-grant USER_KEY and any extended attributes defined on the OAuth Server > Authorization Server Settings screen.

When a specific context is selected, you can also map attributes from the selected context, namely the chosen IdP adapter instance, Password Credential Validator instance, authentication policy contract, or IdP connection (with an OAuth attribute mapping configuration or an authentication policy contract mapping configuration) into the access tokens. Additionally, you can configure a mapping for clients using the client credential grant type.

The mapping used at runtime depends on the authentication context of the original grant. If the authentication context results in a match, PingFederate uses that specific mapping; otherwise, it uses the default mapping for the applicable access token manager instance.


The OAuth Server > Access Token Mapping configuration wizard becomes available only after at least one Access Token Management (ATM) instance has been configured on the OAuth Server > Access Token Management screen.

  • To create a mapping, select the source of the attributes from the Context list and the target ATM instance from the Access Token Manager list, and then click Add Mapping.
  • To modify an existing mapping, select it by its name under Mappings.
  • To remove an existing mapping or to cancel the removal request, click Delete or Undelete under Action.

    Before removing an existing mapping from your configuration, ensure that it is not used by your OAuth use cases.