Skip to content

Fix: Add crucial requirement for custom attributes in OIDC scope for access token inclusion (Product IS issue #27542) #6058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pavinduLakshan merged 3 commits into from
Apr 11, 2026
Merged

Fix: Add crucial requirement for custom attributes in OIDC scope for access token inclusion (Product IS issue #27542) #6058

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a4d2287
Fix: Add crucial requirement for custom attributes in OIDC scope for …
Apr 10, 2026
e26e462
Apply suggestions from code review
pavinduLakshan Apr 10, 2026
5c50f4a
Fix broken link
pavinduLakshan Apr 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions en/includes/guides/fragments/manage-app/oidc-settings/access-token.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,13 +55,20 @@
{% endif %}

{% if product_name == "Asgardeo" or (product_name == "WSO2 Identity Server" and is_version != "7.0.0") %}
#### Access Token Attributes

Check failure on line 58 in en/includes/guides/fragments/manage-app/oidc-settings/access-token.md

View workflow job for this annotation

GitHub Actions / lint

Headings should be surrounded by blank lines 

en/includes/guides/fragments/manage-app/oidc-settings/access-token.md:58 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Above] [Context: "#### Access Token Attributes"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md022.md

For **JWT** access tokens, this feature enables you to specify which user attributes are included in the access token. As a result, when a user logs in to an application, only the chosen attributes are shared, providing enhanced security and flexibility.

!!! note

Check failure on line 62 in en/includes/guides/fragments/manage-app/oidc-settings/access-token.md

View workflow job for this annotation

GitHub Actions / lint

Trailing spaces 

en/includes/guides/fragments/manage-app/oidc-settings/access-token.md:62:9 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md009.md
All configured user attributes are included in the access token, regardless of the requested scopes.

!!! warning
For custom attributes to appear in the access token, you must explicitly add them to an OIDC scope. Without this mapping, custom attributes will not be included in the access token, even if they are configured under **Access Token Attributes**.
For custom attributes to appear in the access token, you must explicitly add them to an OIDC scope. Without this mapping, custom attributes will not be included in the access token, even if they are configured under **Access Token Attributes**.

To map custom attributes to an OIDC scope, configure the scope settings in your application's OIDC configuration and ensure the custom attributes are associated with the appropriate scope.
Comment thread
pavinduLakshan marked this conversation as resolved.
To map custom attributes to an OIDC scope, [configure the custom attributes for the appropriate scopes]({{base_path}}/guides/users/attributes/manage-scopes/#edit-scopes) and ensure that your application's OIDC configuration is updated to request those scopes.

![Access-Token-Attributes]({{base_path}}/assets/img/guides/authorization/access-token/access-token-attributes.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}

{% endif %}
Expand Down Expand Up @@ -130,8 +137,8 @@

- **Revoke token upon user logout** - When enabled, a user logout from a session causes access tokens to be revoked provided the logout request contains either `client_id` or `id_token_hint`. Learn more about [logout requests]({{base_path}}/guides/authentication/oidc/add-logout/).

#### User access token expiry time

Check failure on line 140 in en/includes/guides/fragments/manage-app/oidc-settings/access-token.md

View workflow job for this annotation

GitHub Actions / lint

Headings should be surrounded by blank lines 

en/includes/guides/fragments/manage-app/oidc-settings/access-token.md:140 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "#### User access token expiry time"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md022.md
This option specifies the validity period of an access token issued to a user in seconds. The default expiry time is 3600 seconds.

#### Application access token expiry time

Check failure on line 143 in en/includes/guides/fragments/manage-app/oidc-settings/access-token.md

View workflow job for this annotation

GitHub Actions / lint

Headings should be surrounded by blank lines 

en/includes/guides/fragments/manage-app/oidc-settings/access-token.md:143 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "#### Application access token expiry time"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md022.md
This option specifies the validity period of an access token issued to an application when using the `Client Credentials` grant type in seconds.
Loading