In the Attribute Contract tab, you can define the list of attributes that PingFederate can return to the OAuth clients.
Every new OpenID Connect policy contract begins with a list of standard attributes. These attributes or claims are defined in the OpenID Connect specification. You can optionally remove standard attributes, turn them into non-standard attributes, or add new non-standard attributes.
In OpenID Connect, scopes affect the list of attributes that PingFederate can return to the OAuth clients. The attributes that PingFederate returns to OAuth clients vary, depending on the scopes originally approved by the resource owner.
By default, all attributes defined on this window are deliverable through the UserInfo
endpoint. If an implicit client makes a token request by providing
id_token
as the only response_type parameter
value, the client will only receive an ID token without an access token. As the client
will not be able to retrieve additional attributes from the UserInfo endpoint without a
valid access token, PingFederate includes the applicable attributes in
the ID token instead.
If you have not selected the Include User Info in ID Token option
in the Manage Policy tab for this policy, you can choose how
attributes are delivered to clients. Similar to the default delivery behavior, in the
scenario where an implicit client makes a token request by providing
id_token
as the sole response_type parameter
value, PingFederate includes the applicable attributes in the ID token
regardless of any configured overrides.
-
To add a new attribute:
- To modify an existing entry, use the Edit, Update, and Cancel buttons. Choose how the attribute is delivered, as needed.
- To remove an existing entry, click Delete.