The notions of Scopes and Claims are at the heart of the OpenID Connect and OAuth2 standards. A Scope is a way for the OIDC Client to indicate to the OIDC Provider what kind of dataset (resources) it requests access to. A dataset consists of attributes about the user and/or the authentication event. Members of such a dataset are referred to as Claims. A Scope in OIDC can therefore be thought of as a shorthand for a larger pre-defined bundle of Claims. An OIDC Client may also request individual Claims, or any set of Claims, for fine-grained access. Note that the set of Claims returned to an OIDC Client in a response from the OIDC Provider may differ from the set of Claims that were requested. The end-user is always in control via consent handling.
The content of the ID Token that is returned in response to a successful autentication is governed by a basic set of scopes and claims. Scopes and claims beyond this basic set are used to request Access Tokens of the right kind for subsequent access to various Supplementary Services.
The following table summarizes supported scopes concerning authentication (ID Token) and associated profile data (Userinfo).
| Scope | Description | Associated claims | Comment |
|---|---|---|---|
openid | According to standard | See ID Token | |
profile | According to standard with exception for some claims | See ID Token See Userinfo | |
address | Acording to standard with some additional non-standard claims | See Userinfo | |
phone | Acording to standard with some additional non-standard claims | See Userinfo | |
email | According to standard | See Userinfo | |
nnin | Non-standard scope indicating Norwegian National Identity Number | See Userinfo | |
standard_bankid | ??? |
The PSD2 service provides support for a set of non-standard scopes and claims that are associated with various use-cases under PSD2, including both PISP-scenarios and AISP-scenarios.