OpenId Connect Standard Claims

Introduction

OpenID Connect (OIDC) is an authentication protocol built on top of OAuth 2.0, designed to provide user authentication and authorization capabilities for applications. One of the key components of OIDC is the concept of tokens. Tokens carry information about the authentication and authorization context and are used to make secure and authorized requests. In this blog post, we will explore the different types of claims found in OIDC tokens and understand their significance in the authentication process.

Access Token Claims

Access tokens in OIDC are used to authorize access to protected resources on behalf of a user. They contain a set of claims that convey information about the user. As OpenID Connect is based on top of OAuth 2.0, you should have a look at the list in our other post talking about OAuth 2 Access Token Claims.

Standard Identity Claims

In addition to the OAuth 2.0 claims, there are standard identity claims that provide specific information about the user's profile and attributes. These claims offer a standardized way of conveying essential identity-related data. Let's explore some of the commonly used standard identity claims:

  • name: The name claim represents the user's full name.

  • given_name: This claim contains the user's given or first name.

  • family_name: The family name claim represents the user's last or family name.

  • middle_name: The middle name claim carries the user's middle name, if applicable.

  • nickname: The nickname claim contains a short name or alias used by the user.

  • preferred_username: This claim represents the user's preferred username or handle.

  • profile: The profile claim points to a URL that provides additional profile information about the user.

  • picture: The picture claim provides a URL to the user's profile picture or avatar.

  • website: This claim contains the URL of the user's website or homepage.

  • email: The email claim represents the user's email address.

  • email_verified: The email verified claim indicates whether the user's email address has been verified.

  • gender: This claim specifies the gender or sex of the user.

  • birthdate: The birthdate claim denotes the user's date of birth.

  • zoneinfo: This claim represents the user's time zone or geographical region.

  • locale: The locale claim indicates the user's preferred language and cultural preferences.

  • phone_number: The phone number claim contains the user's phone number.

  • phone_number_verified: The phone number verified claim indicates whether the user's phone number has been verified.

  • address: This claim carries the user's postal address or parts of it.

  • updated_at: The updated at claim represents the time when the user's information was last updated.

An exhaustive list of those claims is available in the OpenID Connect Specs.

These standard identity claims provide a standardized way of conveying important user attributes in OpenID Connect tokens. However, it's important to note that the availability and inclusion of these claims may vary depending on the identity provider and the user's consent and privacy settings. Additionally, custom claims can be defined to include domain-specific identity information as needed.