This extension point can be used to generate a self-contained access token, that contains all the information which are required to validate the token and the user profile information by itself.
For example, a JWT with a payload as below, can be used as a self contained access token, followed by the signature of the token issuer.
“sub” : “alice”,
“scp” : [ “openid”, “email”, “app:write” ],
“iss” : “http://idp.example.com",
“iat” : 1360050795,
“exp” : 1360053600,
For more information on implementing a self contained access token, as an extension to the WSO2 Identity Server, refer this blog.