Scopes and Claims
Important note: Currently, clients retrieve claims from the UserInfo endpoint even if they do not request the respective scopes, as long as the claims are marked "required" or "desired" in the Resource Registry. However, we are currently implementing the edu-ID OP to be more conformant to OIDC standards. Hence from 12 April 2023, it will be necessary to request the respective scopes in order to retrieve the claims (in the OIDC Test Federation, the change has been activated on 2 March 2023).
Clients have been informed and will receive another reminder if the required changes have not been applied.
The OIDC service supports edu-ID only attribute model configurations. It basically provides data from the personal part of an edu-ID. Optionally, affiliation data is available by using the extended attribute model.
The SWITCH edu-ID OP releases user attributes on request of certain OIDC scopes as listed below. However, for data economy clients shall only get required claims. Hence, claims released within the scopes can be filtered in the Resource Registry. All the required attributes are then available upon request with the respective scopes on the UserInfo endpoint of the OP if available for this particular user. See the Token documentation for details on claims released within the ID Token.
The following scopes are supported by the SWITCH edu-ID OP and can be requested by relying parties. Please refer to the OIDC specification for details on the various standard scopes and claims.
Scope openid
The openid scope is required to indicate that the application intends to use OIDC to verify the user's identity and in order to get the standardized ID token, according to the Section 2 of the OIDC specification.
Special remarks:
- sub
The sub claim (subject) is a pairwise identifier, a unique value per user and service. SWITCH edu-ID offers pairwise-ids for a whole group of services, called a sector.
Multiple RPs with the same sector will get the same subject for each user. A client's sector is specified in the Resource Registry. It is recommended to use the sub claim as main identifier. - nonce
SWITCH edu-ID supports nonces to mitigate replay attacks. Public clients must send a nounce . The SWITCH edu-ID OP refuses to serve public clients not sending a nonce in their Authentication Request.
Scope profile
The profile scope authorizes the client to retrieve some basic claims identifying the user. By now, the SWITCH edu-ID OP can release the following claims in the profile scope:
| Claim | Type | edu-ID source attribute | Additional information |
| given_name | string | givenName | - |
| family_name | string | surname | - |
| name | string | displayName | - |
| gender | string | swissEduPersonGender | Possible values: 'male', 'female', 'not applicable' |
| birthdate | string | swissEduPersonDateOfBirth | Format: YYYY-MM-DD (whereas swissEduPersonDateOfBirth uses YYYYMMDD) |
| locale | string | preferredLanguage | - |
Scope email
The email scope authorizes the client to retrieve the email address of the user as well as its verification status:
| Claim | Type | edu-ID source attribute | Additional information |
| string | - | ||
| email_verified | boolean | - | Is always set to 'true' |
The edu-ID user registration process enforces initial email address verification, so the email_verified value will always return 'true'. This does, however, not guarantee that the address still exists, as there is no re-verification process once the user set it as primary email address. Furthermore, the primary email address is the contact address as defined by the account owner and may change over time.
Scope https://login.eduid.ch/authz/User.Read
The scope https://login.eduid.ch/authz/User.Read is a non-standard scope supported by the SWITCH edu-ID OP. It has been introduced as a container for all claims the edu-ID OP supports, which are not mapped to some claim in any standard OIDC scope. It can be treated like all other scopes in client requests to the OP.
| Claim | Type | edu-ID source attribute |
| swissEduPersonUniqueID | string | swissEduPersonUniqueID |
| swissEduPersonMobilePhone | JSON array | mobile |
| swissEduPersonBusinessPhone | JSON array | telephoneNumber |
| swissEduPersonHomePhone | JSON array | homePhone |
| swissEduPersonMinimumAgeCategory | string | swissEduPersonMinimumAgeCategory |
| swissLibraryPersonResidenceCanton | string | swissLibraryPersonResidenceCanton |
| schacPersonalUniqueCode | JSON array | schacPersonalUniqueCode |
| eduPersonEntitlement | JSON array | eduPersonEntitlement |
| swissEduIDAssociatedMail | JSON array | swissEduIDAssociatedMail |
| swissEduIDLinkedAffiliation | JSON array | swissEduIDLinkedAffiliation |
| swissEduIDLinkedAffiliationMail | JSON array | swissEduIDLinkedAffiliationMail |
| swissEduIDLinkedAffiliationUniqueID | JSON array | swissEduIDLinkedAffiliationUniqueID |
| swissEduID | string | swissEduID |
Scope offline_access (Refresh Token)
Clients configured for the scope offline_access receive a refresh token (OIDC Spec). The refresh token is particularly useful for personal mobile clients, to prevent a user from having to re-authenticate every day. At client registration in the Resource Registry, specify the Offline Access grant type so the OP will grant the client offline access on request.
Check the Tokens documentation for details on the refresh token.
Additional scopes
The SWITCH edu-ID OP is able to support additional scopes not related to claim release. Use cases are scopes in access tokens, which are used for accessing a separate resource server where the trust between client and resource server is established via SWITCH edu-ID. Support for resource servers is currently on the Roadmap and is to be implemented.
The standard scopes phone and address are not supported by the edu-ID OP yet since there is no preferred phone or address defined for users. However, the claims swissEduPersonMobilePhone, swissEduPersonHomePhone, swissEduPersonBusinessPhone might be available via the https://login.eduid.ch/authz/User.Read scope if configured in the Resource Registry.
Claim acr