WSO2 Changelog

We have made below enhancements to the application access tokens.

• “sub” claim of application access tokens will be changed to client id of the application.
• Removal of “username” claim from the application access tokens introspection response.

The sub claim in application tokens now uses the application's client_id rather than the application owner’s user ID. Previously, the sub claim reflected the application owner’s username. This updated behavior will apply automatically to new OIDC applications. For existing applications, you can update them via the console to adopt this latest functionality.

Application access tokens’ introspection response was enhanced by removing the username claim as this field is not relevant for machine-to-machine communication. The value of the field was previously set as the application owner's user ID. With this update, the username field will no longer be included in the token response. This change will automatically apply to new OIDC applications. Existing applications can be updated via the console to adopt this latest functionality.

Documentation:

• https://wso2.com/asgardeo/docs/guides/authentication/user-attributes/enable-attributes-for-oidc-app/#select-an-alternate-subject-attribute
• https://wso2.com/asgardeo/docs/guides/authentication/oidc/token-validation-resource-server/#application-access-token-response