When initiating a client-side authorization transaction through the
/authorize endpoint, only an opaque Access Token will be returned by default. To also return a JWT that authenticates the user and contains their profile information, the
scope parameter can be sent as part of the request.
Example (implicit flow)
The following URL logs a user in using Google and requests a JWT that authenticates the user.
After a successful transaction, the user would be redirected here:
When decoded, this token contains the following claims:
Requesting specific claims
The attributes included in the issued token can be controlled with the
scope parameter as follows:
scope=openid: will only return
scope=openid email nickname favorite_food: will return claims for
openidin addition to the
favorite_foodfields if they are available.
scope=openid profile: will return all the user attributes in the token. Beware when you use this option because if you have too many user attributes the ID Token will increase in size and might break the URL limits for some browsers.