OIDC Token Scopes
What is a scope?
According to RFC6749, scopes allow a client application to specify the scope (effectively a limited use case) of the token. The specification does not define any particular values for scopes since it is something that each infrastructure will need to consider carefully.
Scopes are space delimited,
scope=my_scope1 my_scope2, and are typically included as
URL encoded content during token requests.
What is supported at CERN?
CERN does not currently support any custom scopes. The
openid scope is added
by default to each token request, this means you will get an Identity Token as
well as an Access Token.
offline_accessscope should be included if you want a long lived refresh token (e.g. for a persistent connection to a secure application).
- If your OAuth library requires the use of scopes, include the scope
Scopes included as parameters for a secured application will be forwarded to CERN Single-Sign-On by default.
More information can be found in the Keycloak Documentation.