WSO2 Changelog
- 21 Nov, 2024
Alternate user attributes handling method for Access Token attributes
We have introduced an improvement to the handling of JWT Access Token attributes
With this enhancement, for new applications, the "Access Token" section now provides an option to explicitly select the attributes to be included in the token. As a result, user attributes configured in the "User Attributes" section will no longer be automatically added as access token attributes. Existing applications will be marked as outdated because the access tokens they issue still include user attributes configured. To apply the new functionality to these applications, use the outdated application warning banner to update them. After the update, the previously configured user attributes will be automatically added as access token attributes by default, ensuring the application's existing functionality remains intact. You can manage the added access token attributes by adding or removing them from the Access Token Attributes section. The access token attributes included in the token are no longer bound to scopes. Previously, only the user attributes associated with a scope were added to the token. Now, regardless of the scopes requested, all selected user attributes will be included in the token. By letting you explicitly select access token attributes, this feature minimizes the exposure of sensitive user information (PII) when sharing access tokens with resource servers and reduces token size for improved performance.
Please note that the behavior of the ID token will remain the same.