OpenID Connect scopes and claims¶
In order to issue an ID Token, the authorization request must contain at least the
openid scope. It is possible to control which user claims are included
in the ID token by specifying additional scopes.
The table below summarizes the scopes relevant for OpenID Connect.
|openid||Activates the OpenID functionality and allows to issue ID Token as a part of OAuth 2.0 authorization request.|
|profile||Requests access to the following claims:
|Requests access to the following claims:
|address||Requests access to
|phone||Requests access to the following claims:
The claims are obtained from the Identity Provider via Person API and mapped as listed below:
|claim||Person API source|
|name||profile > name > first + last|
|given_name||profile > name > first|
|family_name||profile > name > last|
|nickname||profile > name > display_name|
|preferred_username||profile > name > display_name|
|gender||profile > gender|
|birthdate||profile > date_of_birth|
|locale||profile > preferred_locale|
|profile > email_addresses > value|
|email_verified||profile > email_addresses > verified|
|phone||profile > phone_numbers > value|
|phone_number_verified||profile > phone_numbers > verified|
|address > street_address||profile > address > street_name + house_number + house_number_addition|
|address > locality||profile > address > city|
|address > region||profile > address > region|
|address > postal_code||profile > address > postal_code|
|address > country||profile > address > country_name|
Custom claims that are defined and returned by Onegini Access are sharing a constant prefix
urn:onegini.com:oidc value that allows to uniquely
identify their source and also prevent from potential clashes/collisions.
Note: This feature requires the usage of the Onegini CIM as identity provider.
Via ACR (Authentication Context Class Reference) you request that a specific authentication context must be met upon successful authentication.
The table below summarizes currently supported values. The available values are also exposed via the Discovery API.
|urn:onegini.com:oidc:authentication_level:1||Requires an authentication level of at least 1 from Onegini CIM.|
|urn:onegini.com:oidc:authentication_level:2||Requires an authentication level of at least 2 from Onegini CIM.|
|urn:onegini.com:oidc:authentication_level:3||Requires an authentication level of at least 3 from Onegini CIM.|
|urn:onegini.com:oidc:authentication_level:4||Requires an authentication level of at least 4 from Onegini CIM.|
To request a specific ACR value include
acr_values parameter when requesting ID Token, e.g.:
Currently, only a single ACR value can be specified at a time. Sending multiple values will result in a
Bad Request error.
Onegini Access may return an ACR with a value that is higher than the authentication level that was requested.
Note: This feature requires the Onegini CIM
The Onegini CIM supports custom attributes for a user. These attributes are included as claims within ID Token.
When DABP integration is enabled, Onegini Access will attempt to resolve user's policies and group memberships and return them in a form of a
urn:onegini.com:oidc:group_policies in the id-token. The claim value is a complex JSON object, please refer to the DABP API
reference to learn more about the object outline.