Hi,
In the past we’ve overloaded the id_token
in OIDC responses from OAuth0 with custom claims such as the group data claims, for compatibility.
This is no longer needed and incorrect - as RPs which require a smaller id_token
would normally just request the scope:openid
and expect a small response back instead of the currently long response.
Once https://github.com/mozilla-iam/auth0-deploy/pull/269 is deployed, this will be fixed:
-
scope:openid
will correctly return a smallid_token
, therefore allowing us to use SSO for AWS CLI authentication for example -
scope:openid profile
is the currently recommended scope to get full profile information back from the user, part of which is reflected in theid_token
at this time -
scope:openid email
and other similar selection will return the requested claim (email
) but still also add the custom Mozilla claims in addition to it.