Scopes and Claims

Important note: Currently, clients retrieve claims from the UserInfo endpoint even if they do not request the respective scopes, as long as the claims are marked "required" or "desired" in the Resource Registry. However, we are currently implementing the edu-ID OP to be more conformant to OIDC standards, hence in the future it will be necessary to request the respective scopes in order to retrieve the claims.
Clients will be informed about this well in advance so that they have enough time to make these adjustments.

 

The OIDC service supports edu-ID only attribute model configurations. It basically provides data from the personal part of an edu-ID. Optionally, affiliation data is available by using the extended attribute model.

The SWITCH edu-ID OP releases user attributes on request of certain OIDC scopes as listed below. However, for data economy clients shall only get required claims. Hence, claims released within the scopes can be filtered in the Resource Registry. All the required attributes are then available upon request with the respective scopes on the UserInfo endpoint of the OP if available for this particular user. See the Token documentation for details on claims released within the ID Token.

The following scopes are supported by the SWITCH edu-ID OP and can be requested by relying parties. Please refer to the OIDC specification for details on the various standard scopes and claims.

Scope openid

The openid scope is required to indicate that the application intends to use OIDC to verify the user's identity and in order to get the standardized ID token, according to the Section 2 of the OIDC specification.

Special remarks:

  • sub
    The sub claim (subject) is a pairwise identifier, a unique value per user and service. SWITCH edu-ID offers pairwise-ids for a whole group of services, called a sector.
    Multiple RPs with the same sector will get the same subject for each user. A client's sector is specified in the Resource Registry. It is recommended to use the sub claim as main identifier.
  • nonce
    SWITCH edu-ID supports nonces to mitigate replay attacks. Public clients must send a nounce . The SWITCH edu-ID OP refuses to serve public clients not sending a nonce in their Authentication Request.

Scope profile

The profile scope authorizes the client to retrieve some basic claims identifying the user. By now, the SWITCH edu-ID OP can release the following claims in the profile scope:

Claim Type edu-ID source attribute Additional information
given_name string givenName (spec) -
family_name string suname (spec) -
name string displayName (spec) -
gender string swissEduPersonGender (spec) Possible values: 'male', 'female', 'not applicable'
birthdate string swissEduPersonDateOfBirth (spec) Format: YYYY-MM-DD
(whereas swissEduPersonDateOfBirth uses YYYYMMDD)
locale string preferredLanguage (spec) -

Scope email

The email scope authorizes the client to retrieve the email address of the user as well as its verification status:

Claim Type edu-ID source attribute Additional information
email string mail (spec) -
email_verified boolean - Is always set to 'true'

The edu-ID user registration process enforces initial email address verification, so the email_verified value will always return 'true'. This does, however, not guarantee that the address still exists, as there is no re-verification process once the user set it as primary email address. Furthermore, the primary email address is the contact address as defined by the account owner and may change over time.

Scope https://login.eduid.ch/authz/User.Read

The scope https://login.eduid.ch/authz/User.Read is a non-standard scope supported by the SWITCH edu-ID OP. It has been introduced as a container for all claims the edu-ID OP supports, which are not mapped to some claim in any standard OIDC scope. It can be treated like all other scopes in client requests to the OP.

Claim Type edu-ID source attribute
swissEduPersonUniqueID string swissEduPersonUniqueID (spec)
swissEduPersonMobilePhone JSON array mobile (spec)
swissEduPersonBusinessPhone JSON array telephoneNumber (spec)
swissEduPersonHomePhone JSON array homePhone (spec)
swissEduPersonMinimumAgeCategory string swissEduPersonMinimumAgeCategory (spec)
swissLibraryPersonResidenceCanton string swissLibraryPersonResidenceCanton (spec)
schacPersonalUniqueCode JSON array schacPersonalUniqueCode (spec)
eduPersonEntitlement JSON array eduPersonEntitlement (spec)
swissEduIDAssociatedMail JSON array swissEduIDAssociatedMail (spec)
swissEduIDLinkedAffiliation JSON array swissEduIDLinkedAffiliation (spec)
swissEduIDLinkedAffiliationMail JSON array swissEduIDLinkedAffiliationMail (spec)
swissEduIDLinkedAffiliationUniqueID JSON array swissEduIDLinkedAffiliationUniqueID (spec)
swissEduID string swissEduID (spec)

Scope offline_access (Refresh Token)

Clients configured for the scope offline_access receive a refresh token (OIDC Spec). The refresh token is particularly useful for personal mobile clients, to prevent a user from having to re-authenticate every day. At client registration in the Resource Registry, specify the Offline Access grant type so the OP will grant the client offline access on request.

Check the Tokens documentation for details on the refresh token.

 

Additional scopes

The SWITCH edu-ID OP is able to support additional scopes not related to claim release. Use cases are scopes in access tokens, which are used for accessing a separate resource server where the trust between client and resource server is established via SWITCH edu-ID. Support for resource servers is currently on the Roadmap and is to be implemented.

The standard scopes phone and address are not supported by the edu-ID OP yet since there is no preferred phone or address defined for users. However, the claims swissEduPersonMobilePhone, swissEduPersonHomePhoneswissEduPersonBusinessPhone as well as postalAddress and homePostalAddress might be available via the https://login.eduid.ch/authz/User.Read scope if configured in the Resource Registry.

Claim acr

See Development and Testing