--- title: Use an authentication JWT for token fulfillment description: Token fulfillment in PingOne enables admins to map attributes from a source's authentication JWT to the PingOne generated token to improve interoperability with OIDC applications. When a PingOne application has a tokenEdnpointAuthMethod set to PRIVATE_KEY_JWT or CLIENT_SECRET_JWT, claims from these source authentication tokens can be mapped to PingOne tokens using the following expression variables: component: pingone-api page_id: pingone-api:auth:auth-config-options/auth-jwt-token-fulfillment canonical_url: https://developer.pingidentity.com/pingone-api/auth/auth-config-options/auth-jwt-token-fulfillment.html section_ids: additional-examples: Additional examples include-jwt-claims: Include JWT claims include-jwt-headers-and-claims: Include JWT headers and claims --- # Use an authentication JWT for token fulfillment Token fulfillment in PingOne enables admins to map attributes from a source's authentication JWT to the PingOne generated token to improve interoperability with OIDC applications. When a PingOne application has a `tokenEdnpointAuthMethod` set to `PRIVATE_KEY_JWT` or `CLIENT_SECRET_JWT`, claims from these source authentication tokens can be mapped to PingOne tokens using the following expression variables: * `#root.context.requestData.clientAssertion.{{property}}` Represents the value of a specified `property` from the payload of the authentication JWT presented by the application at PingOne's token endpoint. * `#root.context.requestData.clientAssertion` Represents the payload of the authentication JWT presented by the application at PingOne's token endpoint. * `#root.context.requestData.clientAssertionHeader.{{property}}` Represents the value of a specified `property` from the header of the authentication JWT presented by the application at PingOne's token endpoint. * `#root.context.requestData.clientAssertionHeader` Represents the header of the authentication JWT presented by the application at PingOne's token endpoint. * `#root.context.requestData` Represents the header and the payload of the authentication JWT presented by the application at PingOne's token endpoint. * `#root.context.appConfig.tokenEndpointAuthMethod` Represents the token endpoint authentication method of the requesting application. The value is either `PRIVATE_KEY_JWT`, `CLIENT_SECRET_JWT`, or `null` if the application is not configured to use `PRIVATE_KEY_JWT` or `CLIENT_SECRET_JWT`. In PingOne, the resource's attribute mapping endpoint supports these expressions as request body parameters. For example, you can create a resource attribute on a custom resource using the [Create Resource Attribute](../../platform/resources/resource-attributes/create-resource-attribute.html) endpoint: `POST {{apiPath}}/v1/environments/{{envID}}/resources/{{resourceID}}/attributes`. This POST requires a `name`/`value` pair, and in the sample request body below, the `value` specifies a `custom1` property, which is a claim from the source authentication JWT (`client_assertion`). ```json { "name": "clientAssertion_custom", "value": "${#root.context.requestData.clientAssertion.custom1}" } ``` The claim represented by `custom1` from the authentication JWT will be mapped to the PingOne JWT returned by the PingOne token request. If the `custom1` claim in the JWT represents a nested JSON object, you can write your expression as `#root.context.requestData.clientAssertion.custom1.x` or `#root.context.requestData.clientAssertion.custom1['x']` to access a nested property named `x` from the sample JWT below: ```json { "iss": "{{issID}}", "sub": "{{subID}}", "aud": "https://auth.pingone.com/{{envID}}/as/token", "jti": "a_0eDHMN...", "exp": 1736268635, "iat": 1736268335, "custom1": { "x": "xerox", "y": "yankee" } } ``` ## Additional examples Suppose you have a source authentication JWT with the following headers and claims: ```json { "alg": "RS512", "kid": "2DqNmmIHeJq-YrcR7K8Pjwi4KAI" }.{ "iss": "2cdb6843-338d-44f7-b8b9-90ffa28c555d", "sub": "2cdb6843-338d-44f7-b8b9-90ffa28c555d", "aud": "https://auth.pingone.com/{{envID}}/as/token", "jti": "vm7kRZz_AM3bHAVRdrKlMA", "exp": 1734550892, "iat": 1734550592 } ``` ### Include JWT claims If you create a resource attribute mapping POST request using the `#root.context.requestData.clientAssertion` expression in the `value` property, the PingOne token endpoint will include the source JWT claims in the response: ```json { "alg": "RS256", "kid": "default" }.{ "client_id": "2cdb6843-338d-44f7-b8b9-90ffa28c555d", "iss": "https://auth.pingone.com/6991589d-87eb-47f4-9131-284cebe106b3/as", "jti": "0e428c3e-592b-4ec3-9684-505573e7a2d0", "iat": 1734550592, "exp": 1734554192, "aud": [ "abc itu" ], "scope": "openid myOidc example", "sub": "1fc88a5e-a677-4df7-81ae-75df4f7839d2", "sid": "e506bd43-830d-46b3-8487-b80fd1dd7df9", "context_requestData_clientAssertion_customResource": { "clientAssertion": { "iss": "2cdb6843-338d-44f7-b8b9-90ffa28c555d", "sub": "2cdb6843-338d-44f7-b8b9-90ffa28c555d", "aud": "https://auth.pingone.com/{{envID}}/as/token", "jti": "vm7kRZz_AM3bHAVRdrKlMA", "exp": 1734550892, "iat": 1734550592 } }, "env": "{{envID}}", "org": "{{orgID}}" } ``` The `context_requestData_clientAssertion_customResource` attribute in the PingOne token includes the claims that the authentication JWT presented at PingOne's token endpoint. ### Include JWT headers and claims If you use the `#root.context.requestData` expression in the `value` property of your attribute mapping, the PingOne token request will include the source JWT's headers and claims in the response: ```json { "alg": "RS256", "kid": "default" }.{ "client_id": "2cdb6843-338d-44f7-b8b9-90ffa28c555d", "iss": "https://auth.pingone.com/6991589d-87eb-47f4-9131-284cebe106b3/as", "jti": "0e428c3e-592b-4ec3-9684-505573e7a2d0", "iat": 1734550592, "exp": 1734554192, "aud": [ "abc itu" ], "scope": "openid myOidc example", "sub": "1fc88a5e-a677-4df7-81ae-75df4f7839d2", "sid": "e506bd43-830d-46b3-8487-b80fd1dd7df9", "context_requestData_customResource": { "clientAssertionHeader": { "alg": "RS512", "kid": "2DqNmmIHeJq-YrcR7K8Pjwi4KAI" }, "clientAssertion": { "iss": "2cdb6843-338d-44f7-b8b9-90ffa28c555d", "sub": "2cdb6843-338d-44f7-b8b9-90ffa28c555d", "aud": "https://auth.pingone.com/{{envID}}/as/token", "jti": "vm7kRZz_AM3bHAVRdrKlMA", "exp": 1734550892, "iat": 1734550592 } }, "env": "{{envID}}", "org": "{{orgID}}" } ``` The `context_requestData_customResource` attribute in the PingOne token includes the headers and claims that the authentication JWT presented at PingOne's token endpoint.