The notions of Scopes and Claims are at the heart of the OpenID Connect and OAuth2 standards. A Scope is a way for the OIDC Client to indicate to the OIDC Provider what kind of dataset (resources) it requests access to. The kinds of things that are accessible in OIDC are attributes about the user and/or the authentication event. A Scope in OIDC can be thought of as a bundle of Claims, where Claims are specific attributes about the user and/or the authentication event. OIDC Client may also request individual Claims, or any set of Claims, for fine-grained access. Scopes can be regarded as the shorthand for larger pre-defined set of Claims. Note that set of Claims returned to an OIDC Client in a response from the OIDC Provider may differ from the set of Claims that were requested. The end-user is always in control via consent handling.
A basic set of scopes and claims are related to the content of the ID Token that is returned in response to a successful autentication. An enlarged set set of scopes and claims are supported via Supplementary Services along with corresponding support in associated Access Tokens.
The following table summarizes supported scopes concerning authentication (ID Token) and subsequent access to additional profile data (Userinfo):
Scope | Description | Description | Comment |
---|---|---|---|
openid | According to standard | ID Token | |
profile | According to standard with exception for some associated claims | ||
address | Acording to standard with some additional non-standard claims | Userinfo | |
phone | Acording to standard with some additional non-standard claims | Userinfo | |
email | According to standard | Userinfo | |
nnin | Non-standard scope indicating Norwegian National Identity Number | Userinfo | |
standard_bankid | ??? |
Additional scopes and claims that are supported specificall the following sercService specific scopes and