Is there any standard scope claim in OpenID Connect, JWT or OAuth?
In the IdentityServer 4 documentation, there is a "scope" which is a space-separated string.
{
"client_id": "mobile_app",
"sub": "123",
"scope": "read write delete"
}
But from my IdentityServer 4 instance, I get a "scope" claim in the access token which is a array of strings.
{
// ...
"client_id": "mobile_app",
"sub": "123",
"scope": [ "openid", "profile", "email", "offline_access" ],
"amr": [ "pwd" ]
}
In the OpenID Connect Core 1.0 specification, I do not see "scope" listed as a claim. In the RFC 7519 JSON Web Token (JWT) specification, I do not see "scope" listed as a claim.
The scope claim was standardized by the Token Exchange RFC. According to the spec it should be a JSON string, with a space-separated scope tokens.
The value of the "scope" claim is a JSON string containing a space-separated list of scopes associated with the token...