...
- The OIDC Client must request the scope associated with the claim
- The claim must be configured for the OIDC Client at the OIDC Provider
- The end-user must give his consent if the claim demands consent handling
Due to (2) and (3), note that the set of returned claims may differ from the set of requested claims (1). The set of allowed claim for any particular transaction is resolved by Introspection.
Five different scope configurations are supported as suggested by the below table, corresponding to the standard scopes profile, email, phone and address and the non-standard scope nnin. Note that some of the claims associated with the profile scope are returned with the ID Token whereas others are returned via Userinfo. Among all supported claims, note that nnin is available only to eligible OIDC Clients. The end-user is always in control of the set of claims that is actually returned since most claims demand consent from the end-user.
...