Claims Sources are consulted after the Token Endpoint has verified the information in the Token Grant to be true and is proceeding with the creation of a new token. All information the Token Endpoint was given, minus passwords, will be passed to the Claims Source. , which will typically be username and password, client_id and client_secret or the refresh token, which holds the username and client_id from the original password grant. The TAG will pass this information to the Claim Source:
grant_type: will be password if a password grant is in progress or refresh if a refresh grant is in progress
username: the username as presented in a password grant or taken from the refresh token if a refresh grant is in progress
client_id (optional): the id of the client if presented in the password grant or taken from the refresh token if a refresh grant is in progress
The Claim Source can use this information to decide what claims (key/value pairs) it would like to offer for inclusion in the final JWT. Though a Claim Source offers claims for potential inclusion in the JWT, it is the OAuth 2.0 Security Profile that makes the final decision what is actually included in the final JWT.