On the Attribute Contract screen, define the list of attributes that PingFederate can return to the OAuth clients. Every new OpenID Connect policy contract begins with a list of standard attributes. These are attributes (or claims) defined in the OpenID Connect specification. You can optionally remove standard attributes, edit them to turn them into non-standard attributes, and add new non-standard attributes.
In OpenID Connect, scopes affect the list of attributes that PingFederate can return to the OAuth clients. In other words, the attributes that PingFederate returns to OAuth clients vary, depending on the scopes approved by the resource owner in the first place.
By default, all attributes defined on this screen are deliverable through the
UserInfo endpoint. In the scenario where an implicit client makes a token request by
providing id_token
as the sole response_type
parameter value, the client will only receive an ID token without an access token.
Because the client will not be able to retrieve additional attributes from the
UserInfo endpoint without a valid access token, PingFederate includes the applicable
attributes in the ID token instead.
If you have not selected the Include User Info in ID Token
option on the Manage Policy screen for this policy, you may
choose how attributes are delivered to clients. Similar to the default delivery
behavior, in the scenario where an implicit client makes a token request by
providing id_token
as the sole response_type
parameter value, PingFederate includes the applicable attributes in the ID token
regardless of any configured overrides.
-
To add a new attribute:
- To modify an existing entry, use the Edit, Update, and Cancel workflow. Choose how the attribute is delivered, as needed.
- To remove an existing entry, click Delete.