PingOne Platform APIs

Use an authentication JWT for token fulfillment

Token fulfillment in PingOne enables admins to map attributes from a source’s authentication JWT to the PingOne generated token to improve interoperability with OIDC applications. When a PingOne application has a tokenEdnpointAuthMethod set to PRIVATE_KEY_JWT or CLIENT_SECRET_JWT, claims from these source authentication tokens can be mapped to PingOne tokens using the following expression variables:

  • #root.context.requestData.clientAssertion.{{property}}

    Represents the value of a specified property from the payload of the authentication JWT presented by the application at PingOne’s token endpoint.

  • #root.context.requestData.clientAssertion

    Represents the payload of the authentication JWT presented by the application at PingOne’s token endpoint.

  • #root.context.requestData.clientAssertionHeader.{{property}}

    Represents the value of a specified property from the header of the authentication JWT presented by the application at PingOne’s token endpoint.

  • #root.context.requestData.clientAssertionHeader

    Represents the header of the authentication JWT presented by the application at PingOne’s token endpoint.

  • #root.context.requestData

    Represents the header and the payload of the authentication JWT presented by the application at PingOne’s token endpoint.

  • #root.context.appConfig.tokenEndpointAuthMethod

    Represents the token endpoint authentication method of the requesting application. The value is either PRIVATE_KEY_JWT, CLIENT_SECRET_JWT, or null if the application is not configured to use PRIVATE_KEY_JWT or CLIENT_SECRET_JWT.

In PingOne, the resource’s attribute mapping endpoint supports these expressions as request body parameters. For example, you can create a resource attribute on a custom resource using the Create Resource Attribute endpoint: POST {{apiPath}}/environments/{{envID}}/resources/{{resourceID}}/attributes. This POST requires a name/value pair, and in the sample request body below, the value specifies a custom1 property, which is a claim from the source authentication JWT (client_assertion).

{
    "name": "clientAssertion_custom",
    "value": "${#root.context.requestData.clientAssertion.custom1}"
}

The claim represented by custom1 from the authentication JWT will be mapped to the PingOne JWT returned by the PingOne token request. If the custom1 claim in the JWT represents a nested JSON object, you can write your expression as #root.context.requestData.clientAssertion.custom1.x or #root.context.requestData.clientAssertion.custom1['x'] to access a nested property named x from the sample JWT below:

{
  "iss": "{{issID}}",
  "sub": "{{subID}}",
  "aud": "https://auth.pingone.com/{{envID}}/as/token",
  "jti": "a_0eDHMN...",
  "exp": 1736268635,
  "iat": 1736268335,
  "custom1": {
    "x": "xerox",
    "y": "yankee"
  }
}

Additional examples

Suppose you have a source authentication JWT with the following headers and claims:

{
  "alg": "RS512",
  "kid": "2DqNmmIHeJq-YrcR7K8Pjwi4KAI"
}.{
  "iss": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
  "sub": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
  "aud": "https://auth.pingone.com/{{envID}}/as/token",
  "jti": "vm7kRZz_AM3bHAVRdrKlMA",
  "exp": 1734550892,
  "iat": 1734550592
}

Include JWT claims

If you create a resource attribute mapping POST request using the #root.context.requestData.clientAssertion expression in the value property, the PingOne token endpoint will include the source JWT claims in the response:

{
  "alg": "RS256",
  "kid": "default"
}.{
  "client_id": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
  "iss": "https://auth.pingone.com/6991589d-87eb-47f4-9131-284cebe106b3/as",
  "jti": "0e428c3e-592b-4ec3-9684-505573e7a2d0",
  "iat": 1734550592,
  "exp": 1734554192,
  "aud": [
    "abc itu"
  ],
  "scope": "openid myOidc example",
  "sub": "1fc88a5e-a677-4df7-81ae-75df4f7839d2",
  "sid": "e506bd43-830d-46b3-8487-b80fd1dd7df9",
  "context_requestData_clientAssertion_customResource": {
    "clientAssertion": {
      "iss": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
      "sub": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
      "aud": "https://auth.pingone.com/{{envID}}/as/token",
      "jti": "vm7kRZz_AM3bHAVRdrKlMA",
      "exp": 1734550892,
      "iat": 1734550592
    }
  },
  "env": "{{envID}}",
  "org": "{{orgID}}"
}

The context_requestData_clientAssertion_customResource attribute in the PingOne token includes the claims that the authentication JWT presented at PingOne’s token endpoint.

Include JWT headers and claims

If you use the #root.context.requestData expression in the value property of your attribute mapping, the PingOne token request will include the source JWT’s headers and claims in the response:

{
  "alg": "RS256",
  "kid": "default"
}.{
  "client_id": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
  "iss": "https://auth.pingone.com/6991589d-87eb-47f4-9131-284cebe106b3/as",
  "jti": "0e428c3e-592b-4ec3-9684-505573e7a2d0",
  "iat": 1734550592,
  "exp": 1734554192,
  "aud": [
    "abc itu"
  ],
  "scope": "openid myOidc example",
  "sub": "1fc88a5e-a677-4df7-81ae-75df4f7839d2",
  "sid": "e506bd43-830d-46b3-8487-b80fd1dd7df9",
  "context_requestData_customResource": {
    "clientAssertionHeader": {
      "alg": "RS512",
      "kid": "2DqNmmIHeJq-YrcR7K8Pjwi4KAI"
    },
    "clientAssertion": {
      "iss": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
      "sub": "2cdb6843-338d-44f7-b8b9-90ffa28c555d",
      "aud": "https://auth.pingone.com/{{envID}}/as/token",
      "jti": "vm7kRZz_AM3bHAVRdrKlMA",
      "exp": 1734550892,
      "iat": 1734550592
    }
  },
  "env": "{{envID}}",
  "org": "{{orgID}}"
}

The context_requestData_customResource attribute in the PingOne token includes the headers and claims that the authentication JWT presented at PingOne’s token endpoint.