OpenID Connect (OIDC) scopes

Standard OpenID Connect scopes control which user claims are included in an id_token or in a userinfo response. Unlike other resources, scopes from this resource can be included in an access token along with scopes from another resource.

PingOne supports the following OIDC scopes:

Scope Description

Scope	Description
`profile`	This scope value requests access to the end-user’s profile claims, which are: `name`, `family_name`, `given_name`, `middle_name`, `preferred_username`, `nickname`, `picture`, `zoneinfo`, `locale`, `profile`, `website`, `gender`, `birthdate`, and `updated_at`.
`email`	This scope value requests access to the `email` and `email_verified` claims.
`address`	This scope value requests access to the following claims: `address.street_address`, `address.locality`, `address.region`, `address.postal_code`, `address.country`, `address.formatted`.
`phone`	This scope value requests access to the `phone_number` and `phone_number_verified` claims.

profile

This scope value requests access to the end-user’s profile claims, which are: name, family_name, given_name, middle_name, preferred_username, nickname, picture, zoneinfo, locale, profile, website, gender, birthdate, and updated_at.

email

This scope value requests access to the email and email_verified claims.

address

This scope value requests access to the following claims: address.street_address, address.locality, address.region, address.postal_code, address.country, address.formatted.

phone

This scope value requests access to the phone_number and phone_number_verified claims.

For id_token authorization requests, the openid scope is a required scope that tells the authorization server of an incoming OpenID Connect request.

OIDC scopes for user information

The following sample shows an implicit authorization request with an id_token response type. The scope parameter specifies the required openid scope. It also specifies the optional profile scope to provide access to the end-user’s default profile claims.

curl -X GET \
  'https://auth.pingone.com/{{envID}}/as/authorize?client_id={{appID}}&redirect_uri={{redirect_uri}}&response_type=id_token&scope=openid%20profile'

You must include openid in your requested scopes if you want to use the access token to call the /userinfo endpoint and get a sub attribute in the response. Also, you can include additional OpenID Connect scopes in the scope parameter of the initial authorization request to add more user claims in the id_token and return more information about the user in the /userinfo response.

For more information about retrieving scopes for a specified resource, refer to Get scopes for a resource in the PingOne Platform API Reference.

PingOne Platform APIs

OpenID Connect (OIDC) scopes

OIDC scopes for user information