JWT "scp" claim vs "scope" claim

The JWT issued by Okta has a claim named “scp”, an array of strings, which is used for scopes [1]. But according to the RFC [2], the claim should be named as “scope”, a JSON string containing a space-separated list of scopes. Please clarify if I have misunderstood. Any help or suggestion would be highly appreciated.

[1] https://developer.okta.com/docs/reference/api/oidc/#access-token-scopes-and-claims
[2] https://tools.ietf.org/html/rfc8693#section-4.2

I think, you might be wrong here. The RFC you mentioned is a specific one for ... defines a protocol for an HTTP- and JSON-based Security Token Service (STS) and not OIDC/OAuth which do not require this claim to be present in the token. OIDC defines a list of standard claims in https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims and OAuth don’t even require access token to be in JWT format

@phi1ipp Thanks for the clarification.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.