Customizing access tokens

With PingOne, you can customize the content of access tokens by adding custom resource attributes and application permissions to the token. Use customized access tokens to convey additional information about token holders to applications.

You can’t customize tokens for the two default resources:

OpenID Connect (OIDC)
PingOne API

Steps

In the PingOne admin console, go to Applications > Resources and browse or search for the resource that you want to edit.
Click the resource entry to open the details panel for the resource.

On the Attributes tab, click the Pencil icon () to add custom attributes.

Click Add.
Enter the following:
- Attributes: Enter the attribute value for the resource, such as sub.
- PingOne mappings: Select an attribute in the list, such as User ID.
  
  Learn more about configuring the access token time to live (TTL) in Editing a resource.

(Optional) Select the Required checkbox to make the attribute required.

For any attributes except the sub attribute

If it can’t find a value for an attribute set as required, PingOne doesn’t issue an access token for the resource and instead issues an error message in the token response.

For the sub attribute

The following table lists how PingOne handles the sub attribute based on whether it’s set as required and what grant type the application is using:

sub set as required? Application grant type If PingOne can’t find an attribute mapping value?

`sub` set as required?	Application grant type	If PingOne can’t find an attribute mapping value?
Yes	Any grant type requiring user interaction, such as authorization code	PingOne doesn’t issue an access token for the resource and instead issues an error message in the token response.
Yes	Client credentials	PingOne doesn’t issue an access token for the resource and instead issues an error message in the token response.
No	Any grant type requiring user interaction	PingOne populates the `sub` attribute with the PingOne user ID of the authenticated user.
No	Client credentials	PingOne returns an access token without including the `sub` attribute.

Yes

Any grant type requiring user interaction, such as authorization code

PingOne doesn’t issue an access token for the resource and instead issues an error message in the token response.

Yes

Client credentials

PingOne doesn’t issue an access token for the resource and instead issues an error message in the token response.

Any grant type requiring user interaction

PingOne populates the sub attribute with the PingOne user ID of the authenticated user.

Client credentials

PingOne returns an access token without including the sub attribute.

Continue adding attributes as needed.

To include application permissions in access tokens created for this resource, on the Permissions tab, click the Include user permissions in Access Token toggle.

To enable the Permissions tab, add PingOne Authorize to your environment.

Learn more about defining application permissions in Adding application permissions.

The p1.permissions claim in the access token will include permissions for the authenticated user.
Click Save.