Scopes and Claims

The notions of Scopes and Claims are at the heart of OpenID Connect and OAuth2. A Scope is a way for the OIDC Client to indicate to the OIDC Provider what dataset it requests access to. A dataset consists of attributes about the user and/or the authentication event. Members of such a dataset are referred to as Claims. A Scope in OIDC can therefore be thought of as a shorthand for a larger pre-defined bundle of Claims. An OIDC Client may also request individual Claims, or any set of Claims, for fine-grained access.

Note that the set of Claims returned to an OIDC Client in a response from the OIDC Provider may differ from the set of Claims that were requested. First because an OIDC Client may not be entitled to the full set of claims that are supported by the OIDC Provider. Secondly, because the end-user is always in control via consent handling.  

The content of the ID Token that is returned in response to a successful autentication is governed by a basic set of scopes and claims.  Scopes and claims beyond this basic set are used to request Access Tokens of the right kind for subsequent access to various Value-Added Services (VASs)

Standard

The following table summarizes how the OIDC Provider from BankID supports standard scopes and claims as defined in the OpenID Connect 1.0  standard. 

Scope Description Associated claims
openid According to standard See ID Token
profile According to standard with exception for some claims

See ID Token  and default Access Token

address Acording to standard with some additional non-standard claims See default Access Token 
phone Acording to standard with some additional non-standard claims See default Access Token 
email According to standard See default Access Token 

Non-standard

Non-standard scopes and/or claims supported by the OpenID Connect Provider from BankID is further described as follows:.

  • Description of additional scopes and claims in ID Token, among them Norwegian National Identity Number.
  • Description of specific scopes and claims for each supported Value-added Service (VAS)