OpenID Connect Scopes

OpenID Connect Scopes

This document discusses scopes included within the OpenID Connect (OIDC) authentication protocol. For more info about OIDC itself, read OpenID Connect Protocol.

OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details, like name and picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request depend on which user attributes the application needs. Once the user authorizes the requested scopes, the claims are returned in an ID Token and are also available through the /userinfo endpoint.

Example Usage

For example, let's say you have built a regular web application, registered it with Login 3.0, and have configured it to allow a user to log in using a username and password. Once a user logs in to your app, you want to auto-generate and send a personalized welcome email, including the user's name.

  1. A user clicks Login within your app.

  2. Your app redirects the user to the Login 3.0 Authorization Server (/authorize endpoint), including the following scopes:

    • openid (required; to indicate that the application intends to use OIDC to verify the user's identity)

    • profile (so you can personalize the email with the user's name)

    • email (so you know where to send the welcome email)

  3. Your Login 3.0 Authorization Server redirects the user to the login prompt.

  4. The user authenticates and sees a consent page listing the scopes Login 3.0 will give to your app, which include access to their profile information and email address.

  5. The user accepts and authorizes your app to have this level of access to their information stored by Login 3.0.

  6. Your app now has access to the user's profile information and email address.

Standard Claims

Standard claims are intended to provide an application with user details, such as name, email, and picture, and are pre-defined for the OIDC protocol. These claims are returned in an ID Token and are also available through the /userinfo endpoint.

You can also create custom claims, which are claims that you define, control, and add to a token using Login 3.0 Actions. To learn more, read JSON Web Token Claims.

The basic (and required) scope for OIDC is openid, which indicates that an application intends to use the OIDC protocol to verify a user's identity. Beyond that, an application can ask for additional scopes by listing the requested scope names in the scope parameter, separated by spaces.

PreviousAPI ScopesNextSample Use Cases: Scopes and Claims

Last updated

Was this helpful?