On the Access Token Attribute Contract tab, define the attribute contract for the access tokens issued by this access token management (ATM) instance.
You must enter at least one attribute. For auditing purposes, an attribute can be chosen as the subject.
- Go to Applications > OAuth > Access Token Management and select your instance, or click Create New Instance.
-
On the Access Token Attribute Contract tab use the
Extend the Contract field and the
Add button to add one or more attributes.
- To always return this array in a token response, select the Multi-Valued check box.
For JSON web token (JWT) bearer access tokens, you can extend the attribute contract with the following attributes.
Attribute Description iss Adds the Issuer claim (iss) to the access token. When mapping attribute values from authentication sources to the access tokens issued by this ATM instance, the value specified on the Access Token Attribute Contract tab overrides any Issuer Claim Value defined on the Instance Configuration tab.
aud Adds the Audience claim (aud) to the access token. When mapping attribute values from authentication sources to the access tokens issued by this ATM instance, the value you specify on the Access Token Attribute Contract tab overrides any Audience Claim Value defined on the Instance Configuration tab.
exp Extends the value of the Expire claim (exp) by the specified value in minutes. Note:Define the Expire claim with the Token Lifetime setting in the Instance Configuration tab.
The Client ID Claim Name field value, the Scope Claim Name field value, or the Access Grant GUID Claim Name field value defined on the Instance Configuration tab of this ATM instance. When mapping attribute values from authentication sources to the access tokens issued by this ATM instance, the values defined in the Access Token Attribute Contract tab override the value of the client ID, the scope, or the persistent access grant GUID. -
Select an attribute from the Subject Attribute Name
list.
When recording OAuth transactions in the audit log, PingFederate populates the subject field with values from this attribute specifically for token introspection and token validation using the
validate_bearer
grant type.