Scopes

Heads up! If you are working with the API Authorization flows and you are looking for the updated documentation, refer to Scopes.

When initiating a client-side authorization transaction through the /authorize endpoint, only an opaque access_token will be returned by default. To also return a JWT that authenticates the user and contains their profile information, the scope parameter can be sent as part of the request.

Example (implicit flow)

The following URL logs a user in using Google and requests a JWT that authenticates the user.

https://example.auth0.com/authorize
  ?response_type=token
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=http://jwt.io&connection=google-oauth2
  &scope=openid

After a successful transaction, the user would be redirected here:

http://jwt.io/
  #access_token=s213Mvz1QW7XpjoX
  &id_token=eyJ0...
  &token_type=Bearer
  &state=mep7BLYt1lAsLC94

When decoded, this token contains the following claims:

{
  "iss": "https://example.auth0.com/",
  "sub": "google-oauth2|112396309096036300109",
  "aud": "jGMow0KO3WDJELW8XIxolqb1XIitjkYL",
  "exp": 1437560381,
  "iat": 1437510381
}

Requesting specific claims

The attributes included in the issued token can be controlled with the scope parameter as follows:

  • scope=openid: will only return iss, sub, aud, exp and iat claims.
  • scope=openid email nickname favorite_food: will return claims for openid in addition to the email, nickname and favorite_food fields if they are available.
  • scope=openid profile: will return all the user attributes in the token.

The scope parameter can used in the same way when calling the Resource Owner endpoint.

Further reading