Overview of Scopes and Claims
Scopes
A scope specify what access privileges are being requested to be included as claim in the JWT token. The following is the exhaustive list of scopes supported by the Axioms platform:
| Name | Description | Requires user context |
|---|---|---|
openid | Required scope for all OpenID authorization requests. | Yes |
email | Token claims should include the end user email and if that email was verified. This will add following claims to token: email, email_verified | Yes |
phone | Token claims should include the end user phone numbers and if that phone number was verified. This will add following claims to token: phone_number, phone_number_verified | Yes |
profile | Token claims should include profile details of the end user. If available includes one or more of following claims: name, family_name, given_name, middle_name, nickname preferred_username, picture, website, gender, birthdate, zoneinfo, locale, updated_at . | Yes |
address | Token claims should include address details of the end user. | Yes |
offline_access | Token response should include a refresh token. | No |
roles | Token claims should include a list of roles assigned to the end user. | No |
orgs | Token claims should include a list of organizations assigned to the end user. | No |
Using Scope Parameter
When requesting authorization, a client application should use scope parameter to include a string containing a space-separated scopes.
Some common scope combinations
scope=openid profile email phone
explain this code snippet
scope=openid profile email roles
explain this code snippet
scope=openid profile email roles orgs
explain this code snippet
scope=openid profile email roles offline_access
explain this code snippet
Claims
Claims are specific attributes about a user or JWT token and it's context.
Claims about JWT token
| Claim | Description | Include by default | ID Token | Access Token |
|---|---|---|---|---|
iss | Issuer - claim identifies the principal that issued the JWT token | ✅ | ✅ | ✅ |
sub | Subject - claim identifies the principal that is the subject of the JWT | ✅ | ✅ | ✅ |
aud | Audience - claim identifies the recipients that the JWT is intended for. It can be a single recipient or an array of recipients. | ✅ | ✅ | ✅ |
exp | Expiration Time - claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing | ✅ | ✅ | ✅ |
nbf | Not Before - claim identifies the time before which the JWT MUST NOT be accepted for processing | ✅ | ✅ | ✅ |
iat | Issued At - claim identifies the time at which the JWT was issued | ✅ | ✅ | ✅ |
jti | JWT ID - claim provides a unique identifier for the JWT token | ✅ | ✅ | ✅ |
auth_time | Time when the End-User authentication occurred. | ✅ | ✅ | ✅ |
amr | Authentication methods references i.e. authentication factor used to authenticate user. It can be one or more values from this list: pwd, otp, mfa, swk, face, fpt, kba | ✅ | ✅ | ✅ |
azp | Authorized party - the party to which the token was issued | ✅ | ✅ | ❌ |
client_id | Client id of the client to which the token was issued | ✅ | ✅ | ✅ |
scope | Scopes requested in authorization request. Included if not null. | ❌ | ✅ | ✅ |
{iss}/claims/roles | Roles assigned to the end user. Included if roles in scope or claims parameter of authorization request | ❌ | ✅ | ✅ |
{iss}/claims/orgs | Organizations assigned to the end user. Included if orgs in scope or claims parameter of authorization request | ❌ | ✅ | ✅ |
at_hash | Hash of access token send along with id token by authorization server to client | ❌ | ✅ | ❌ |
c_hash | Hash of authorization code sent by authorization server to client | ❌ | ✅ | ❌ |
s_hash | Hash of state variable sent by client in authorization request | ❌ | ✅ | ❌ |
nonce | Used to associate a client authorization request with an ID Token | ❌ | ✅ | ❌ |
Claims about user
| Claim | Description |
|---|---|
name | Full name |
given_name | Given name(s) or first name(s) |
family_name | Surname(s) or last name(s) |
middle_name | Middle name(s) |
nickname | Casual name |
preferred_username | Shorthand name by which the End-User wishes to be referred to |
profile | Profile page URL.1 |
picture | Profile picture URL |
website | Web page or blog URL |
email | Preferred e-mail address |
email_verified | True if the e-mail address has been verified; otherwise false |
gender | Gender |
birthdate | Birthday |
zoneinfo | Time zone |
locale | Locale |
phone_number | Preferred telephone number |
phone_number_verified | True if the phone number has been verified; otherwise false |
address | Preferred postal address |
updated_at | Time the information was last updated |
- Currently profile url is not supported by Axioms user profile.↩