JWT "scp" claim vs "scope" claim

ldclakmal · July 16, 2020, 5:26am

The JWT issued by Okta has a claim named “scp”, an array of strings, which is used for scopes [1]. But according to the RFC [2], the claim should be named as “scope”, a JSON string containing a space-separated list of scopes. Please clarify if I have misunderstood. Any help or suggestion would be highly appreciated.

[1] https://developer.okta.com/docs/reference/api/oidc/#access-token-scopes-and-claims
[2] https://tools.ietf.org/html/rfc8693#section-4.2

phi1ipp · July 17, 2020, 2:10am

I think, you might be wrong here. The RFC you mentioned is a specific one for ... defines a protocol for an HTTP- and JSON-based Security Token Service (STS) and not OIDC/OAuth which do not require this claim to be present in the token. OIDC defines a list of standard claims in https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims and OAuth don’t even require access token to be in JWT format

ldclakmal · July 20, 2020, 4:21am

@phi1ipp Thanks for the clarification.

Post		Replies	Views
Scope/scp and space delimited string in access token Questions	4	5139	April 7, 2021
What do 'Scope' and 'Audience' mean? Questions	4	42186	January 25, 2024
Profile Scope Missing given_name claim Questions	13	8517	August 10, 2020
Attribute-based Access Control via claims Questions	8	4459	January 25, 2024
What’s in a Token? – An OpenID Connect Primer, Part 3 of 3 Developer Blog Comments	29	4196	April 4, 2024

JWT "scp" claim vs "scope" claim

Related topics