Customize OpenID Connect scope and claims
In this document you will learn how OpenID Connect scope and claims work with Ory OAuth2 and OpenID Connect. It will also cover
the default setup of Ory, which uses Ory Identities for logging in and the Ory Account Experience for getting user consent. This
setup supports the email
and profile
OpenID Connect scopes.
The default setup of Ory OAuth2 and OpenID Connect
By default, Ory OAuth2 and OpenID Connect use Ory Identities to handle login. It also uses the Ory Account Experience to ask for
user consent. This setup supports the email
and profile
scopes as defined by OpenID Connect.
How the email
scope works
For the email
scope, the system uses the verifiable addresses of a user. The first verifiable email is used to include the email
in the ID token claims. This means that both email_verified
and email
claims get set.
How the profile
scope works
For the profile
scope, the system uses traits associated with a user. Here's how they map:
identity.traits.username
is used for theusername
claim.identity.traits.website
is used for thewebsite
claim.identity.updated_at
is used for theupdated_at
claim.
Also, the name field can be a string or an object:
- If
identity.traits.name
is a string, it is used for thename
claim. - If
identity.traits.name
is an object,traits.name.first
andtraits.name.last
are used for thegiven_name
andfamily_name
traits.
Customize Scopes and Claims
Refer to the documentation about OAuth2 webhooks to learn about adding custom claims to your tokens for different OAuth flows.
For full control over the resource owner's user experience during the consent phase in the Authorizatio Code / OpenID Connect flow, check out the Ory Consent UI documentation.