Reputation: 335
Can we request OAuth 2 scopes in OIDC?
I know that OIDC is used for federated authentication and in the /authorize endpoint we can pass standard/custom scopes like openid profile name email etc. And based on the scopes we add the claims in the ID token, and also an access token is issued with these scopes and the client can use the access token to invoke /userinfo endpoint. And in response we return user information based on the OIDC scopes.
Similarly in case of OAuth2.0 clients can request OAuth scopes (based on scopes supported on resource server) like create-api read-api delete-api etc; and upon user's consent, access token is issued with these scopes.
My question is : In the OIDC, can a client pass both OIDC and OAuth scopes? For eg. in the /authorize endpoint can a client pass scopes like openid name read-api write-api admin which issues ID token and an access token with all these scopes? And access token can be used to invoke both /userinfo endpoint and to access user's resources? Is this a standard practice?
Upvotes: 0
Views: 1124
Answers (1)
Reputation: 54078
Yes, in fact all scopes are "OAuth 2.0" scopes as OpenID Connect is a superset of OAuth 2.0. Scopes are in fact not tied to the ID Token, they are tied to the access token. The resulting access token can be used to invoke both the user info endpoint as well as any other OAuth 2.0 protected resources.
Upvotes: 3
Related Questions
- Multiple Scope Values to oauth2
- Authorize different API endpoints via oauth2
- OpenIdConnect working with scopes to limit access to resources
- OIDC generalized scopes
- OAuth2 Architecture with 2 Resource Servers having their own Different Scopes
- Is it OK to include the OAuth scopes inside a JWT?
- Scope handling in OAuth2 protocol
- In OIDC, is scope=openid not required for /token call?
- Claims when using "openid" scope in OIDc
- can I merge OpenID connect/OAuth as one process for both Authentication and Authorization