Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: explain default claims mapping #1448

Merged
merged 2 commits into from
Jul 10, 2023
Merged

docs: explain default claims mapping #1448

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f773fdb
docs: explain default claims mapping
aeneasr Jul 10, 2023
f6a55d3
docs: avoid we
vinckr Jul 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions docs/oauth2-oidc/claims-scope.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
id: claims-scope
slug: openid-connect-claims-scope-custom
title: Customize OpenID Connect scope and claims
sidebar_label: Scope and claims customization
---

In this document you will learn how OpenID Connect scope and claims work with Ory OAuth2 and OpenID Connect. It will also cover
the default setup of Ory, which uses Ory Identities for logging in and the Ory Account Experience for getting user consent. This
setup supports the `email` and `profile` OpenID Connect scopes.

## The default setup of Ory OAuth2 and OpenID Connect

By default, Ory OAuth2 and OpenID Connect use Ory Identities to handle login. It also uses the Ory Account Experience to ask for
user consent. This setup supports the `email` and `profile` scopes as defined by OpenID Connect.

### How the `email` scope works

For the `email` scope, the system uses the verifiable addresses of a user. The first verifiable email is used to include the email
in the ID token claims. This means that both `email_verified` and `email` claims get set.

### How the `profile` scope works

For the `profile` scope, the system uses traits associated with a user. Here's how they map:

- `identity.traits.username` is used for the `username` claim.
- `identity.traits.website` is used for the `website` claim.
- `identity.updated_at` is used for the `updated_at` claim.

Also, the name field can be a string or an object:

- If `identity.traits.name` is a string, it is used for the `name` claim.
- If `identity.traits.name` is an object, `traits.name.first` and `traits.name.last` are used for the `given_name` and
`family_name` traits.

## Making Custom Scopes and Claims

Ory allows you to customize scopes and claims. To do this, you can set up a custom consent UI. This way, you can adjust your
identity management process to fit your needs. For more information, check out the
[Ory Consent UI Documentation](./custom-login-consent/flow.mdx).
1 change: 1 addition & 0 deletions src/sidebar.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,7 @@ module.exports = {
"hydra/guides/oauth2-token-introspection",
"hydra/guides/client-token-expiration",
"oauth2-oidc/userinfo-oidc",
"oauth2-oidc/claims-scope",
"hydra/jwks",
"hydra/guides/openid",
"hydra/guides/audiences",
Expand Down
Loading