User profile claims by requested scopes

This page provides information useful to any integrator to know the exact format and information he might retrieve by the user depending on the scopes he consented to.

Scopes define the extent of access requested by the RP.

  • Standard Scopes:

    • openid: Required. Signals an OIDC request. Grants access to the sub (subject identifier) claim in the ID Token.

    • email: Requests access to email_verified claims. Access may require user consent.

  • Custom Scopes:

    • phone: Requests access to phone_verified claims. Access may require user consent

    • over16 | over18 | over21 | over65: If consented by the user, provides verified information that the user is over the requested age.

    • over16fae | over18fae | over21fae | over65fae: If performed by the user, provides an estimated guess if the user is over the requested age. If the process is uncertain or if the user desires, hehas the opportunity to consent the verified information that he is over the requested age.

(Note: The availability of claims returned for standard scopes depends on user consent and IDP configuration).

Claims

Claims are assertions about the End-User or the authentication event.

The claims can be retrieved in:

  1. Inside the id_token

  2. The /userinfo endpoint, using an access token

Example of an id_token payload
{
  "at_hash": "NdOgVUpAcN9eAtyvZ2VheA",
  "aud": [
    "2xsPTANe1wxJBurXcMUWox5EY5Q34qVV"
  ],
  "auth_time": 1744704961,
  "exp": 1744708615,
  "iat": 1744705015,
  "id": "anonymous_AP3NPooaBZ88p8Jvon3xpLyQL2PyWydtNoGKBfDAMzog",
  "iss": "https://vouch.dev.gataca.io/",
  "jti": "32LuF1N1vaUuxG4HHkHopSYvQtG5HLvh",
  "nonce": "e7f63601a8701cba33214888b93b0573",
  "over16": "accepted",
  "rat": 1744704961,
  "sid": "31QFsy8zJyapGStrNtH7N8YUUrKJGppw",
  "sub": "anonymous_AP3NPooaBZ88p8Jvon3xpLyQL2PyWydtNoGKBfDAMzog"
}

  • Standard Claims Supported: generic claims to provide information about the token validity, present in all tokens. See

    • iss : Issuer of the token

    • aud: Audience of the token (matching the client id requesting it)

    • exp : expiration time of the token

    • iat : issuance time of the token

    • auth_time : last authentication time of the user

    • nonce : one time random identifier to avoid replay attacks

  • Scope-specific Custom Claims Provided: depending on the scopes requested by the client and consented by the user

    • sub [string]:: Unless an annonym required age-verification scope has been requested, it will contain the did root identifying the user. Else, it would contain a random anonymous identifier.

    • email [string]: value of one of the otp verified emails managed by the user

    • phone [string]: value of one of the sms-otp verified phones managed by the user

    • over16 | over18 | over21 | over65 [constant]: accepted in case that the age verified or estimated of the user is over the required threshold and the user consents sharing it

    • estimated [boolean]: true or false, in case the age verification scope requested allows age estimation (e.g: over16fae, over18fae...)

Last updated