The notions of Scopes and Claims are at the heart of the OpenID Connect and OAuth2 standards. A Scope is a way for the OIDC Client to indicate to the OIDC Provider what kind of dataset (resources) it requests access to. The kinds of things that are accessible in OIDC are attributes about the user and/or the authentication event. A Scope in OIDC can be thought of as a bundle of Claims, where Claims are specific attributes about the user and/or the authentication event. OIDC Client may also request individual Claims, or any set of Claims, for fine-grained access. Scopes can be regarded as the shorthand for larger pre-defined set of Claims. Note that the set of Claims returned to an OIDC Client in a response from the OIDC Provider may differ from the set of Claims that were requested. The end-user is always in control via consent handling.
A basic set of scopes and claims is associated with the content of the ID Token that is returned in response to a successful autentication. Scopes and claims beyond this basic set are supported via Supplementary Services along with associated Access Tokens.
The following table summarizes supported scopes concerning authentication (ID Token) and associated profile data (Userinfo):
Scope | Description | Associated claims | Comment |
---|---|---|---|
openid | According to standard | See ID Token | |
profile | According to standard with exception for some claims | See ID Token See Userinfo | |
address | Acording to standard with some additional non-standard claims | See Userinfo | |
phone | Acording to standard with some additional non-standard claims | See Userinfo | |
email | According to standard | See Userinfo | |
nnin | Non-standard scope indicating Norwegian National Identity Number | See Userinfo | |
standard_bankid | ??? |
Supported for other scopes and claims
The PSD2 service provides support for a set of non-standard scopes and claims that are associated with various use-cases under PSD2, including both PISP-scenarios and AISP-scenarios.