PingOne access tokens are signed JWTs (JSON Web Tokens) that include identity claims about and attributes of the requestor, usually a user identity. The resource attributes service lets you customize the content of access tokens by adding custom attributes and their values. This is a great way to convey additional information about the user to applications.

Resource attributes are essentially custom identity claims associated with a resource. For example, suppose the clothing.preferences resource with scope sizes provides “clothing size” user claims in the token. By default, the sizes scope does not include a t-shirt size user claim. To include the user.tshirtSize user attribute as a user claim in the token, a resource attribute entity can be created that associates the tshirtSize attribute with the clothing.preferences resource. Then, for token requests to clothing.preferences with scope sizes, the tshirtSize user claim is included in the token. If the attribute is multiValued, then the claim will be an array of values. The following diagram shows the workflow:

Resource attributes

For information about an access token’s core claims, see Access token claims. A token’s core identity claims cannot be modified or deleted.

Resource attributes data model

Property Description
name A string that specifies the name of the custom resource attribute to be included in the access token. The following names are reserved and cannot be used:
  • acr
  • amr
  • aud
  • auth_time
  • client_id
  • env
  • exp
  • iat
  • iss
  • jti
  • org
  • p1.* (any name staring with the p1. prefix)
  • scope
  • sid
  • sub
type A string that specifies the type of resource attribute. Options are:
  • CORE: The claim is required and cannot not be removed.
  • CUSTOM: The claim is not a CORE attribute. All created attributes are of this type.
value A string that specifies the value of the custom resource attribute. This value can be a placeholder that references an attribute in the user schema, expressed as “${user.path.to.value}”, or it can be a static string. Placeholders must be valid, enabled attributes in the environment’s user schema. Examples fo valid values are: “${user.email}”, “${user.name.family}”, and “myClaimValueString”.

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
404 The requested resource was not found.