Scopes and Claims

For OIDC, claims are released when certain scopes are requested from the OP by the client.

The edu-ID OP releases claims according to the claim release settings of the client in the Resource Registry. Claims are by default released only on the userInfo endpoint but can be configured to also be released in the ID Token. In order to get the claims, the scopes openid and https://eduid.ch/scope/userinfo.read need to be requested. See below for further details on the two scopes as well as other scopes for advanced use cases.

Mandatory scopes

Each authorization request of a client contains a list of requested scopes. For the edu-ID OP, for the default use case, any client should request the scopes openid and https://eduid.ch/scope/userinfo.read such that authentication is triggered and claims are eventually released. The following subsctions explain the meaning of the two scopes.

openid

The openid scope is a standard scope and required to indicate that the application intends to use OIDC to verify the user's identity and in order to get the standardized ID token, according to the Section 2 of the OIDC specification.

With the openid scope, the client is authorized to retrieve the the following claims:

Claim Type edu-ID source attribute Description Additional information
sub (pairwise)
string pairwise-id (unscoped) Subject - Identifier for the End-User at the Issuer. The pairwise subject is the default and shall only be changed if there is a good reason to do so. The pairwise subject is a privacy-presesrving pairwise identifier which is derived from the triple of user, issuer and sector. The sector of a client is given by its sector_identifier_uri which can be defined in the Resource Registry. Like this, one can have a set of client where the same user can be identified across all of them via the same subject.
sub (public)
string swissEduPersonUniqueID Subject - Identifier for the End-User at the Issuer. Alternatively to the pairwise subject, a client can request the public subject which has the same value among all clients. For the edu-ID, the value of the public subject is the value of the swissEduPersonUniqueID claim of the user. It shall only be used if there is a strict need for it which can not be handled with the pairwise subject.
eduid_idp string swissEduPersonHomeOrganization Provider of the identity which is released Only released in the ID Token and, if the Access Token has audiences other than the OP itself, also in there. Its main purpose is to request values for it to only allow identities from certain providers.

https://eduid.ch/scope/userinfo.read

In the attribute specification you can see which claims are available through the edu-ID OP and which format and claim names they have. In order to get these claims, the client needs to request the edu-ID specific scope https://eduid.ch/scope/userinfo.read. Note that the configured claims are not guaranteed to be available. It depends on whether they are present in the released identity and whether the identity provider allows them to be released.

Other scopes

Apart from the mandatory scopes, client can request additional scopes for other use cases.

offline_access scope (refresh token)

Clients configured for the scope offline_access receive a refresh token (OIDC Spec). The refresh token is particularly useful for personal mobile clients, to prevent a user from having to re-authenticate every day. At client registration in the Resource Registry, specify the Offline Access grant type so the OP will grant the client offline_access scope on request.

Check the Tokens documentation for details on the refresh token.

Standard scopes for claim release

In order to be conformant with the OIDC core specification, the edu-ID OP releases some claims within the standard scopes profile and email. You can see this in the Switch edu-ID attribute specification.

However, for the sake of simplicity, we strongly recommend to only use the https://eduid.ch/scope/userinfo.read scope for claim release. All configured claims are released by using this scope (together with the openid scope).

Deprecated scope 'https://login.eduid.ch/authz/User.Read'

The Switch edu-ID has introduced the scope https://login.eduid.ch/authz/User.Read for all user attributes of Switch edu-ID which can't be mapped to the standard scopes. However, with the introduction of the https://eduid.ch/scope/userinfo.read including all claims, the old https://login.eduid.ch/authz/User.Read is now deprecated and should not be used anymore.

Custom scopes

The Switch edu-ID OP is able to support additional scopes not related to claim release. Use cases are scopes in access tokens, which are used for accessing a separate resource server where the trust between client and resource server is established via Switch edu-ID. Support for resource servers is currently on the Roadmap and is to be implemented. Please let us know via email if you have such a use case.