Scopes and Claims
The notions of Scopes and Claims are at the heart of OpenID Connect and OAuth2. A Scope is a way for the OIDC Client to indicate to the OIDC Provider what service it requests access to, or in technical terms which resources at pertinent Resource Servers. The response from a Resource Server consists of datasets with attributes on the user and/or the authentication event. Members of such a dataset are referred to as Claims. A Scope in OIDC can therefore be thought of as a shorthand for a larger pre-defined bundle of Claims. An OIDC Client may also request individual Claims, or any set of Claims, for fine-grained access.
The set of Claims returned to an OIDC Client in a response from the OIDC Provider may differ from the set of Claims that were requested. First because an OIDC Client may not be eligible to the full set of claims that are supported by the OIDC Provider. Secondly, because the end-user is always in control via consent handling.
The content of the ID Token that is returned in response to a successful autentication (or session refresh) is governed by the standard scopes openid
and profile
. These scopes are available to any OIDC Client. Some additional content is governed by custom scopes defined by the OIDC Provider from BankID, among them the Norwegian National Identity Number (NNIN) that can be made available to eligible OIDC Clients. See the description of ID Tokens for further information.
Scopes and claims beyond those asociated with ID Tokens are used to request Access Tokens (with corresponding Refresh Tokens) of the right kind for subsequent access to various resources at supported Resource Servers. See the description of specific scopes and claims for each supported Value-added Service (VAS). The TINFO service is of particular importance since it implements the standard scopes address
, phone
and email
as defined by the OpenID Connect specification itself.
The scope named offline_acces
is a standard scope with implication on session handling. See also the description on Refresh Token for further information on the effect of this particular scope.