Heads up! If you are working with the API Authorization flows and you are looking for the updated documentation, refer to Scopes.

When initiating a client-side authorization transaction through the /authorize endpoint, only an opaque access_token will be returned by default. To also return a JWT that authenticates the user and contains their profile information, the scope parameter can be sent as part of the request.

Example (implicit flow)

The following URL logs a user in using Google and requests a JWT that authenticates the user.

After a successful transaction, the user would be redirected here:

When decoded, this token contains the following claims:

  "iss": "",
  "sub": "google-oauth2|112396309096036300109",
  "aud": "jGMow0KO3WDJELW8XIxolqb1XIitjkYL",
  "exp": 1437560381,
  "iat": 1437510381

Requesting specific claims

The attributes included in the issued token can be controlled with the scope parameter as follows:

  • scope=openid: will only return iss, sub, aud, exp and iat claims.
  • scope=openid email nickname favorite_food: will return claims for openid in addition to the email, nickname and favorite_food fields if they are available.
  • scope=openid profile: will return all the user attributes in the token.

The scope parameter can used in the same way when calling the Resource Owner endpoint.

Further reading