Scopes
Scopes define what access a client is requesting from the user. In the context of Corppass, scopes determine the types of identity and entity information to be included in the issued tokens.
When initiating an OpenID Connect flow, clients must include the appropriate scope parameter in the authorization request.
Usage
Example
The following shows how scope should be specified in a Pushed Authorization Request (PAR).
POST /request
Content-Type: application/x-www-form-urlencoded
DPoP: <signed-DPoP-JWT>
client_id=...
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=eyJ...
&response_type=code
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcallback
&scope=openid authinfo business_profile.email
&state=sDf83sdfKJ29
&nonce=gfjs92jfslf
&code_challenge=VQbq2FQzvY12kTkE-FoLmGHim5W7LRknTNYTUKuCKcE
&code_challenge_method=S256Supported Scopes
openid
Mandatory scope to indicate the request is an OpenID Connect flow.
Required for all requests.
sub
act
amr
nonce
aud
exp
iat
iss
sub_account
Provides more details about the user that is acting on behalf of the entity.
Read sub_account - User Account to see the structure.
act.sub_account
authinfo
Provides authorization details for the authenticated user. This scope must be provided or else no authorization information will be returned in the userinfo endpoint.
auth_info
tpauthinfo
Provides third-party authorization details for the authenticated user. This scope must be provided or else no third-party authorization information will be returned in the userinfo endpoint.
tp_auth_info
business_profile.email
Provides the email of the user that is acting on behalf of the entity, as registered on Corppass.
Note: The sub_account scope must be provided as well for the relevant email claims to show up.
Read sub_account - User Account to see where the claims sit.
act.sub_account.email
act.sub_account.email_verified
Last updated