Overview#

For OpenID Connect, scope can be used to request that specific sets of information be made available as OpenID Connect Claims Values. This document describes only the scope values used by OpenID Connect.

OpenID Connect allows additional scope values to be defined and used. Scope values used that are not understood by an implementation SHOULD be ignored.

OpenID Connect Claims requested by the following scope are treated by Authorization Servers as Voluntary Claims.

OpenID Connect defines the following OpenID Connect Scope values:

• profile - OPTIONAL This scope value requests access to the End-User's Default Profile Claims.
• email OPTIONAL - This scope value requests access to the email and email_verified Claims.
• address OPTIONAL - This scope value requests access to the address Claim.
• phone OPTIONAL - This scope value requests access to the phone Number and phone_number_verified Claims.

OpenID Connect Standard Claims#

Requesting Claims using the "claims" Authorization Request Parameter[2]#

Properties of the Claims being requested MAY also be specified.

Support for the claims parameter is OPTIONAL. Should an OP not support this parameter and an RP uses it, the OP SHOULD return a set of Claims to the RP that it believes would be useful to the RP and the End-User using whatever heuristics it believes are appropriate. The claims_parameter_supported Discovery result indicates whether the OP supports this parameter.

The claims parameter value is represented in an OAuth 2.0 request as UTF-8 encoded JSON (which ends up being form-urlencoded when passed as an OAuth parameter). When used in a Request Object value, per Section 6.1, the JSON is used as the value of the claims member.

The top-level members of the OpenID Connect Claims request JSON Object are:

• userinfo - OPTIONAL. Requests that the listed individual Claims be returned from the UserInfo Endpoint. If present, the listed Claims are being requested to be added to any OpenID Connect Claims that are being requested using scope values. If not present, the Claims being requested from the userinfo_endpoint are only those requested using scope values.

• id_token - OPTIONAL. Requests that the listed individual OpenID Connect Claims be returned in the id_token. If present, the listed OpenID Connect Claims are being requested to be added to the OpenID Connect Standard Claims in the id_token. If not present, the default id_token Claims are requested, as per the id_token definition in Section 2 OpenID.Core and per the additional per-flow id_token requirements in Sections 3.1.3.6, 3.2.2.10, 3.3.2.11, and 3.3.3.6.OpenID.Core

Other members MAY be present. Any members used that are not understood MUST be ignored.

An example Claims request is as follows:

{
 "userinfo":
  {
   "given_name": {"essential": true},
   "nickname": null,
   "email": {"essential": true},
   "email_verified": {"essential": true},
   "picture": null,
   "http://example.info/claims/groups": null
  },
 "id_token":
  {
   "auth_time": {"essential": true},
   "acr": {"values": ["urn:mace:incommon:iap:silver"] }
  }
}

Note that a Claim that is not in the OpenID Connect Standard Claims defined in Section 5.1, the (example) http://example.info/claims/groups Claim, is being requested. Using the claims parameter is the only way to request Claims outside the OpenID Connect Standard Claims. It is also the only way to request specific combinations of the OpenID Connect Standard Claims that cannot be specified using scope values.

More Information#

• Authentication Context Class Reference
• Default Profile Claims
• Email
• OpenID Connect Scopes
• Profile
• Scopes vs Claims

• [#1] - OpenID Connect Core 1.0 incorporating errata set 1 - based on data observed:2015-05-18
• [#1] - OpenID Connect Core 1.0 incorporating errata set 1 (Section 5.5) - based on data observed:2015-05-18