On the Contract Fulfillment screen, you map values into the token attribute contract. These are the attributes that will be included or referenced in the access token.

Map each attribute to fulfill the Token Attribute Contract from one of these Sources:
  • Client Credentials, IdP Adapter, IdP Connection, Password Credential Validator, or Token Exchange Processor Policy

    If you have selected an IdP adapter instance, IdP connection, password credential validator instance, or token exchange processor policy under Context on the Access Token Attribute Mapping screen, you have the option to map attributes from that specific authentication system. Select the corresponding context under Source and the desired attribute under Value.

  • Persistent Grant

    When you make this selection, the associated Value list is populated by the USER_KEY and extended attributes from the persistent access-token grant.

  • Context

    Values are returned from the context of the transaction at runtime.


    The HTTP Request context value is retrieved as a Java object rather than text. For this reason, OGNL expressions are more appropriate to evaluate and return values.

    Select Expression under Source and then click Edit to enter an expression.

    Additionally, you can use an expression to retrieve from the HTTP Request Java object the authentication method that a client uses (or the private key JWT with which a client authenticates if the client uses the private_key_jwt authentication method). For sample expressions, see Expressions for OAuth and OpenID Connect uses cases.

    (If the Expression selection is not available, you may enable it by editing the org.sourceid.common.ExpressionManager.xml file in the <pf_install>/pingfederate/server/default/data/config-store directory.)

  • Extended Client Metadata

    Values are returned from the client record.

  • LDAP/JDBC/Other (when a datastore is used)

    Values are returned from your datastore (if used). When you make this selection, the Value list is populated by the attributes from the datastore.

  • Expression (when enabled)

    This option provides more complex mapping capabilities; for example, transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.

  • No Mapping

    Select this option to ignore the Value field, causing no value selection to be necessary.

  • Text

    The value is what you enter. This can be text only, or you can mix text with references to the USER_KEY using the syntax:


    You can also enter values from your datastore, when applicable, using this syntax:


    where attribute is any of the datastore attributes you have selected.

  1. Choose a source and then choose (or enter) a value for each attribute in the contract.
  2. Click Next.