On the Access Token Attribute Contract screen, define the attribute contract for the access tokens issued by this access token management (ATM) instance. You must enter at least one attribute. For auditing purposes, an attribute may be chosen as the subject.

  1. Add one or more attributes.

    For JWT bearer access tokens, you may extend the attribute contract with the following attributes:

    Attribute Description
    iss Adds the Issuer claim (iss) to the access token.

    When mapping attribute values from authentication sources to the access tokens issued by this ATM instance, the value you specify on the Contract Fulfillment screen overrides the Issuer Claim Value field value (if any) defined on the Instance Configuration screen.

    aud Adds the Audience claim (aud) to the access token.

    When mapping attribute values from authentication sources to the access tokens issued by this ATM instance, the value you specify on the Contract Fulfillment screen overrides the Audience Claim Value field value (if any) defined on the Instance Configuration screen.

    exp Extends the value of the Expire claim (exp), as defined by the Token Lifetime setting on the Instance Configuration screen, by the specified value (in seconds).
    The Client ID Claim Name field value, the Scope Claim Name field value, or the Access Grant GUID Claim Name field value (if any) defined on the Instance Configuration screen of this ATM instance. When mapping attribute values from authentication sources to the access tokens issued by this ATM instance, the values you specify on the Contract Fulfillment screen override the value of the client ID, the scope, or the persistent access grant GUID.
  2. Select an attribute from the list under Subject Attribute Name.

    When recording OAuth transactions in the audit log, populates the subject field with values from this attribute specifically for token introspection and token validation using the validate_bearer grant type.