In the OAuthV2/VerifyAccessToken, you would not use the Attributes element.

Instead, VerifyAccessToken retrieves the custom attributes that you had set when you previously called GenerateAccessToken. The attributes are then available at runtime in context variables.

For example, at the time of GenerateAccessToken, you might call out to an external user profile service, to retrieve information about the user, or the client. You could then store that with the token, and that information would be implicitly retrieved every time your proxy subsequently receives that token and calls VerifyAccessToken.

Furshtay?

@RK4 : Usage of custom attribute for verify access token is explained in here really well.

Use this element (attributes) to add custom attributes to an access token or authorization code. For example, you may wish to embed a user ID or session identifier in an access token that can be extracted and checked at runtime.

@RK4 To Access the Customer attributes that are set in the generate access token policy, no need to define those attributes again in the verify access token policy. Once the verify access token policy is executed we can directly access those attributes as a variables with the prefix 'accesstoken.'

For Example, if you set the attribute username in generate access token, then we can access username as accesstoken.username once the generated token is verfied using verify access token policy.

And if you don't want the attributes to displayed in the access token response then set display="false".

<Attributes> <Attribute name="username" ref="request.formparam.username" display="false"/> </Attributes>