Skip to content

OIDC Token Scopes

What is a scope?

According to RFC6749, scopes allow a client application to specify the scope (effectively a limited use case) of the token. The specification does not define any particular values for scopes since it is something that each infrastructure will need to consider carefully.

Scopes are space delimited, scope=my_scope1 my_scope2, and are typically included as URL encoded content during token requests.

What is supported at CERN?

CERN does not currently support any custom scopes. The openid scope is added by default to each token request, this means you will get an Identity Token as well as an Access Token.

  • The offline_access scope should be included if you want a long lived refresh token (e.g. for a persistent connection to a secure application).
  • If your OAuth library requires the use of scopes, include the scope email. This is just to satisfy some OAuth implementations, email will always be returned in a token.

Scopes included as parameters for a secured application will be forwarded to CERN Single-Sign-On by default.


More information can be found in the Keycloak Documentation.