When initiating a client-side authorization transaction through the /authorize endpoint, only an opaque access_token will be returned by default. To also return a JWT that authenticates the user and contains their profile information, the scope parameter can be sent as part of the request.

Example (implicit flow)

The following URL logs a user in using Google and requests a JWT that authenticates the user.

After a successful transaction, the user would be redirected here:

When decoded, this token contains the following claims:

  "iss": "",
  "sub": "google-oauth2|112396309096036300109",
  "aud": "jGMow0KO3WDJELW8XIxolqb1XIitjkYL",
  "exp": 1437560381,
  "iat": 1437510381

Requesting specific claims

The attributes included in the issued token can be controlled with the scope parameter as follows:

  • scope=openid: will only return iss, sub, aud, exp and iat claims.
  • scope=openid email nickname favorite_food: will return claims for openid in addition to the email, nickname and favorite_food fields if they are available.
  • scope=openid profile (not recommended): will return all the user attributes in the token. This can cause problems when sending or receiving tokens in URLs (e.g. when using response_type=token) and will likely create an unnecessarily large token(especially with Azure AD which returns a fairly long JWT). Keep in mind that JWTs are sent on every API request, so it is desirable to keep them as small as possible.

The scope parameter can used in the same way when calling the Resource Owner endpoint.

Further reading