PingOne access tokens are signed JWTs (JSON Web Tokens) that include identity claims about and attributes of the requestor, usually a user identity. The resource attributes service lets you customize the content of access tokens by adding custom attributes and their values. This is a great way to convey additional information about the user to applications. Custom attributes have a cumulative length constraint of 16 Kb. See Custom attributes in Schemas for more information.
Resource attributes are essentially custom identity claims associated with a resource. For example, suppose the clothing.preferences resource with scope sizes provides “clothing size” user claims in the token. By default, the sizes scope does not include a t-shirt size user claim. To include the user.tshirtSize user attribute as a user claim in the token, a resource attribute entity can be created that associates the tshirtSize attribute with the clothing.preferences resource. Then, for token requests to clothing.preferences with scope sizes, the tshirtSize user claim is included in the token. If the attribute is multiValued, then the claim will be an array of values. The following diagram shows the workflow:
For information about an access token’s core claims, see Access token claims. A token’s core identity claims cannot be modified or deleted.
You can use PingOne’s expression language for advanced attribute mappings of a custom resource or the OpenID Connect resource. The supported expression language is an augmentation of SpEL. SpEL is a powerful expression language used for querying and manipulating an object graph at runtime.
| Property | Type | Required? | Mutable? | Description |
|---|---|---|---|---|
idToken |
Boolean | Optional | Mutable | A boolean that specifies whether the attribute mapping should be available in the ID Token. This property is applicable only when the application’s protocol property is OPENID_CONNECT. If omitted, the default is true. Note that the idToken and userInfo properties cannot both be set to false. At least one of these properties must have a value of true. |
userInfo |
Boolean | Optional | Mutable | A boolean that specifies whether the attribute mapping should be available through the /as/userinfo endpoint. This property is applicable only when the application’s protocol property is OPENID_CONNECT. If omitted, the default is true. Note that the idToken and userInfo properties cannot both be set to false. At least one of these properties must have a value of true. |
name |
String | Required | Mutable | A string that specifies the name of the custom resource attribute to be included in the access token. The following are reserved names and cannot be used. These reserved names are applicable only when the resource’s type property is OPENID_CONNECT:
|
type |
String | Optional | Read-only | A string that specifies the type of resource attribute. Options are:
|
value |
String | Required | Mutable | A string that specifies the value of the custom resource attribute. This value can be a placeholder that references an attribute in the user schema, expressed as “${user.path.to.value}”, or it can be a static string. Placeholders must be valid, enabled attributes in the environment’s user schema. Examples fo valid values are: “${user.email}”, “${user.name.family}”, and “myClaimValueString”. |
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
| Service | Event |
|---|---|
| resources | ATTRIBUTE.CREATED |
| resources | ATTRIBUTE.UPDATED |
| resources | ATTRIBUTE.DELETED |
| Code | Message |
|---|---|
| 200 | Successful operation. |
| 201 | Successfully created. |
| 204 | Successfully removed. No content. |
| 400 | The request could not be completed. |
| 401 | You do not have access to this resource. |
| 404 | The requested resource was not found. |