PingOne access tokens are signed JWTs (JSON Web Tokens) that include identity claims about and attributes of the requestor, usually a user identity. The resource attributes service lets you customize the content of access tokens by adding custom attributes and their values. This is a great way to convey additional information about the user to applications. Custom attributes have a cumulative length constraint of 16 Kb. See Custom attributes in Schemas for more information.
Resource attributes are essentially custom identity claims associated with a resource. For example, suppose the clothing.preferences
resource with scope sizes
provides “clothing size” user claims in the token. By default, the sizes
scope does not include a t-shirt size user claim. To include the user.tshirtSize
user attribute as a user claim in the token, a resource attribute entity can be created that associates the tshirtSize
attribute with the clothing.preferences
resource. Then, for token requests to clothing.preferences
with scope sizes
, the tshirtSize
user claim is included in the token. If the attribute is multiValued
, then the claim will be an array of values. The following diagram shows the workflow:
For information about an access token’s core claims, see Access token claims. A token’s core identity claims cannot be modified or deleted.
You can use PingOne’s expression language for advanced attribute mappings of a custom resource or the OpenID Connect resource. The supported expression language is an augmentation of SpEL. SpEL is a powerful expression language used for querying and manipulating an object graph at runtime.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
idToken |
Boolean | Optional | Mutable | A boolean that specifies whether the attribute mapping should be available in the ID Token. This property is applicable only when the application’s protocol property is OPENID_CONNECT . If omitted, the default is true . Note that the idToken and userInfo properties cannot both be set to false . At least one of these properties must have a value of true . |
userInfo |
Boolean | Optional | Mutable | A boolean that specifies whether the attribute mapping should be available through the /as/userinfo endpoint. This property is applicable only when the application’s protocol property is OPENID_CONNECT . If omitted, the default is true . Note that the idToken and userInfo properties cannot both be set to false . At least one of these properties must have a value of true . |
name |
String | Required | Mutable | A string that specifies the name of the custom resource attribute to be included in the access token. The following are reserved names and cannot be used. These reserved names are applicable only when the resource’s type property is OPENID_CONNECT :
|
type |
String | Optional | Read-only | A string that specifies the type of resource attribute. Options are:
|
value |
String | Required | Mutable | A string that specifies the value of the custom resource attribute. This value can be a placeholder that references an attribute in the user schema, expressed as “${user.path.to.value}” , or it can be a static string. Placeholders must be valid, enabled attributes in the environment’s user schema. Examples fo valid values are: “${user.email}” , “${user.name.family}” , and “myClaimValueString” . |
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
Service | Event |
---|---|
resources | ATTRIBUTE.CREATED |
resources | ATTRIBUTE.UPDATED |
resources | ATTRIBUTE.DELETED |
Code | Message |
---|---|
200 | Successful operation. |
201 | Successfully created. |
204 | Successfully removed. No content. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
404 | The requested resource was not found. |