On the Contract Fulfillment tab, map values into the token attribute contract to be included or referenced in the access token.
Choose a source from the Source list, and then select a value
from the Value list for each attribute in the contract, or enter
Map each attribute from one of the following sources:
Credentials, IdP Adapter, IdP
Connection, Password Credential Validator, or
Token Exchange Processor Policy
Depending on the selections under Context in the Access Token Attribute Mapping tab, you can map attributes from that specific authentication system. Select the corresponding context under Source and the desired attribute under Value.
- Persistent Grant
When selected, the associated Value list is populated with the USER_KEY and extended attributes from the persistent access-token grant.
Values are returned from the context of the transaction at runtime.Note:
The HTTP Request context value is retrieved as a Java object rather than text. For this reason, OGNL expressions are preferred to evaluate and return values.
Select Expression under Source, and then click Edit to enter an expression.
The HTTP RequestJava object retrieves the authentication method that a client uses, or the private key JWT for client authentication if the client uses the private_key_jwt authentication method.. For sample expressions, see Expressions for OAuth and OpenID Connect uses cases.
If the Expression selection is not available, you can enable it by editing the org.sourceid.common.ExpressionManager.xml file in the <pf_install>/pingfederate/server/default/data/config-store directory.
- Extended Client Metadata
Values are returned from the client record.
Values are returned from your datastore, if used. When you make this selection, the Value list populates with attributes from the datastore.
When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.
- No Mapping
This option ignores the Value field, causing no value selection to be necessary.
The value is what you enter. This can be text only, or you can mix text with references to the USER_KEY using the
When applicable, you can also enter values from your datastore using the
attributeis any of the datastore attributes you have selected.
- Client Credentials, IdP Adapter, IdP Connection, Password Credential Validator, or Token Exchange Processor Policy
- Click Next.