OIDC Token Scopes
What is a scope?
According to RFC6749, scopes allow a client application to specify the scope (effectively a limited use case) of the token. The specification does not define any particular values for scopes since it is something that each infrastructure will need to consider carefully.
Scopes are space delimited, scope=my_scope1 my_scope2
, and are typically included as
URL encoded content during token requests.
What is supported at CERN?
CERN does not currently support any custom scopes.
- To receive an ID token include the scope
openid
- The
offline_access
scope should be included if you want a long lived refresh token (e.g. for a persistent connection to a secure application). Shorter lived refresh tokens are issued by default. - If your OAuth library requires the use of scopes, include the scope
email
. This is just to satisfy some OAuth implementations, email will always be returned in a token.
Scopes included as parameters for a secured application will be forwarded to CERN Single-Sign-On by default.
http://myappserver/mysecuredapp?scope=my_scope
More information can be found in the Keycloak Documentation.