Custom scopes for requesting OpenID claims
For example, a client can use the profile scope value to request access to these user attributes at the IdP: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale and updated_at.
https://c2id.com/login? response_type=code &scope=openid%20profile &client_id=000123 &state=co7Eigha &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
OpenID Connect defines four such scope values that expand to sets of claims.
|profile||name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at|
|address||address.formatted, address.street_address, address.locality, address.region, address.postal_code, address.country|
You can define your own scope value to OpenID claim expansions in this configuration file:
For example, to let the custom org_details scope value request the claims roles, supervisor, employee_number add the following line to the file:
org_profile = roles, supervisor, employee_number
When setting or overriding a mapping via a Java system property, prefix the
scope value with
op.claims.map., for example:
Prefix your custom scopes and claim names to prevent clashes
It's good practise to put your custom scopes and claims in a name space to prevent collisions with those of other identity providers. The recommended way to do that is with a common prefix:
An URI, such as a URL or URN, e.g.
Pattern similar to the Java package system, e.g.
If the custom scopes and claims are URLs they can potentially be managed by a
simple registry service, which lists their mappings and allows simple queries
to check their validity and description (and return HTTP status
404 if the
scope value or claim name is invalid).
Escaping special characters
The custom claims map is parsed as java.util.Properties. That format recognises the following chars as delimiter between key and value:
If either delimiter is present in the property key, it must be escaped. For example:
https\://myidp.com/scopes/my_custom_scope = https://myidp.com/claims/my_custom_claim1, https://myidp.com/claims/my_custom_claim2, https://myidp.com/claims/my_custom_claim3