Overview of Scopes and Claims

Scopes

A scope specify what access privileges are being requested to be included as claim in the JWT token. The following is the exhaustive list of scopes supported by the Axioms platform:

NameDescriptionRequires user context
openidRequired scope for all OpenID authorization requests.Yes
emailToken claims should include the end user email and if that email was verified. This will add following claims to token: email, email_verifiedYes
phoneToken claims should include the end user phone numbers and if that phone number was verified. This will add following claims to token: phone_number, phone_number_verifiedYes
profileToken claims should include profile details of the end user. If available includes one or more of following claims: name, family_name, given_name, middle_name, nickname preferred_username, picture, website, gender, birthdate, zoneinfo, locale, updated_at .Yes
addressToken claims should include address details of the end user.Yes
offline_accessToken response should include a refresh token.No
rolesToken claims should include a list of roles assigned to the end user.No
orgsToken claims should include a list of organizations assigned to the end user.No

Using Scope Parameter

When requesting authorization, a client application should use scope parameter to include a string containing a space-separated scopes.

Some common scope combinations

scope=openid profile email phone
explain this code snippet
scope=openid profile email roles
explain this code snippet
scope=openid profile email roles orgs
explain this code snippet
scope=openid profile email roles offline_access
explain this code snippet

Claims

Claims are specific attributes about a user or JWT token and it's context.

Claims about JWT token

ClaimDescriptionInclude by defaultID TokenAccess Token
issIssuer - claim identifies the principal that issued the JWT token
subSubject - claim identifies the principal that is the subject of the JWT
audAudience - claim identifies the recipients that the JWT is intended for. It can be a single recipient or an array of recipients.
expExpiration Time - claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing
nbfNot Before - claim identifies the time before which the JWT MUST NOT be accepted for processing
iatIssued At - claim identifies the time at which the JWT was issued
jtiJWT ID - claim provides a unique identifier for the JWT token
auth_timeTime when the End-User authentication occurred.
amrAuthentication methods references i.e. authentication factor used to authenticate user. It can be one or more values from this list: pwd, otp, mfa, swk, face, fpt, kba
azpAuthorized party - the party to which the token was issued
client_idClient id of the client to which the token was issued
scopeScopes requested in authorization request. Included if not null.
{iss}/claims/rolesRoles assigned to the end user. Included if roles in scope or claims parameter of authorization request
{iss}/claims/orgsOrganizations assigned to the end user. Included if orgs in scope or claims parameter of authorization request
at_hashHash of access token send along with id token by authorization server to client
c_hashHash of authorization code sent by authorization server to client
s_hashHash of state variable sent by client in authorization request
nonceUsed to associate a client authorization request with an ID Token

Claims about user

ClaimDescription
nameFull name
given_nameGiven name(s) or first name(s)
family_nameSurname(s) or last name(s)
middle_nameMiddle name(s)
nicknameCasual name
preferred_usernameShorthand name by which the End-User wishes to be referred to
profileProfile page URL.1
pictureProfile picture URL
websiteWeb page or blog URL
emailPreferred e-mail address
email_verifiedTrue if the e-mail address has been verified; otherwise false
genderGender
birthdateBirthday
zoneinfoTime zone
localeLocale
phone_numberPreferred telephone number
phone_number_verifiedTrue if the phone number has been verified; otherwise false
addressPreferred postal address
updated_atTime the information was last updated

  1. Currently profile url is not supported by Axioms user profile.