Scopes and Claims

The OIDC service supports edu-ID only attribute model configurations. It basically provides data from the personal part of an edu-ID. Optionally, affiliation data is available by using the extended attribute model.

The SWITCH edu-ID OP releases user attributes on request of certain OIDC scopes as listed below. However, for data economy clients shall only get required claims. Hence, claims released within the scopes can be filtered in the Resource Registry. All the required attributes are then available upon request with the respective scopes on the UserInfo endpoint of the OP if available for this particular user. See the Token documentation for details on claims released within the ID Token.

The following scopes are supported by the SWITCH edu-ID OP and can be requested by relying parties. Please refer to the OIDC specification for details on the various standard scopes and claims.

Scope openid

The openid scope is required to indicate that the application intends to use OIDC to verify the user's identity and in order to get the standardized ID token, according to the Section 2 of the OIDC specification.

With the openid scope, the client is authorized to retrieve the sub claim. This claim can either be a pairwise identifier or a public identifier. It is highly recommended to use the pairwise subject unless there is a strict need for the public one. The subject type can be specified in the Resource Registry.

Claim Type edu-ID source attribute Additional information
sub (pairwise)
string pairwise-id (unscoped) This is the default and shall only be changed if there is a good reason to do so. It is a pairwise identifier which is derived from the triple of user, issuer and sector. The sector of a client is given by its sector_identifier_uri which can be defined in the Resource Registry. Like this, one can have a set of client where the same user can be identified across all of them via the same subject.
sub (public)
string swissEduPersonUniqueID Alternatively to the pairwise subject, a client can request the public subject which has the same value among all clients. For the edu-ID, the value of the public subject is the value of the swissEduPersonUniqueID claim of the user. It shall only be used if there is a strict need for it which can not be handled with the pairwise subject.

Scope profile

The profile scope authorizes the client to retrieve some basic claims identifying the user. By now, the SWITCH edu-ID OP can release the following claims in the profile scope:

Claim Type edu-ID source attribute Additional information
given_name string givenName -
family_name string surname -
name string displayName -
gender string swissEduPersonGender Possible values: 'male', 'female', 'not applicable'
birthdate string swissEduPersonDateOfBirth Format: YYYY-MM-DD
(whereas swissEduPersonDateOfBirth uses YYYYMMDD)
locale string preferredLanguage -

Scope email

The email scope authorizes the client to retrieve the email address of the user as well as its verification status:

Claim Type edu-ID source attribute Additional information
email string mail -
email_verified boolean - Is always set to 'true'

The edu-ID user registration process enforces initial email address verification, so the email_verified value will always return 'true'. This does, however, not guarantee that the address still exists, as there is no re-verification process once the user set it as primary email address. Furthermore, the primary email address is the contact address as defined by the account owner and may change over time.

Scope https://login.eduid.ch/authz/User.Read

The scope https://login.eduid.ch/authz/User.Read is a non-standard scope supported by the SWITCH edu-ID OP. It has been introduced as a container for all claims the edu-ID OP supports, which are not mapped to some claim in any standard OIDC scope. It can be treated like all other scopes in client requests to the OP.

Claim Type edu-ID source attribute
swissEduPersonUniqueID string swissEduPersonUniqueID
swissEduPersonMobilePhone JSON array mobile
swissEduPersonBusinessPhone JSON array telephoneNumber
swissEduPersonHomePhone JSON array homePhone
swissEduPersonMinimumAgeCategory string swissEduPersonMinimumAgeCategory
swissLibraryPersonResidenceCanton string swissLibraryPersonResidenceCanton
schacPersonalUniqueCode JSON array schacPersonalUniqueCode
eduPersonEntitlement JSON array eduPersonEntitlement
swissEduIDAssociatedMail JSON array swissEduIDAssociatedMail
swissEduIDLinkedAffiliation JSON array swissEduIDLinkedAffiliation
swissEduIDLinkedAffiliationMail JSON array swissEduIDLinkedAffiliationMail
swissEduIDLinkedAffiliationUniqueID JSON array swissEduIDLinkedAffiliationUniqueID
swissEduID string swissEduID

Scope offline_access (Refresh Token)

Clients configured for the scope offline_access receive a refresh token (OIDC Spec). The refresh token is particularly useful for personal mobile clients, to prevent a user from having to re-authenticate every day. At client registration in the Resource Registry, specify the Offline Access grant type so the OP will grant the client offline access on request.

Check the Tokens documentation for details on the refresh token.

 

Additional scopes

The SWITCH edu-ID OP is able to support additional scopes not related to claim release. Use cases are scopes in access tokens, which are used for accessing a separate resource server where the trust between client and resource server is established via SWITCH edu-ID. Support for resource servers is currently on the Roadmap and is to be implemented.

The standard scopes phone and address are not supported by the edu-ID OP yet since there is no preferred phone or address defined for users. However, the claims swissEduPersonMobilePhone, swissEduPersonHomePhoneswissEduPersonBusinessPhone might be available via the https://login.eduid.ch/authz/User.Read scope if configured in the Resource Registry.

Claim acr

See Development and Testing