Claims

Scopes

• Keys, not values, that are used to express client, and not user, privileges

• Requested by the client

• Authorized by the AS

• Examples: read, openid, user_invoice_update, etc.

• Sometimes consent by the user (useful in 3rd party client integrations)

Claims

• key:value items (user attributes) within the token

• Asserted by the issuer and claim truth about the subject

• Used for fine grained access control

subject=jacob
age=42 # claim 1
profession=identity geek # claim 2
workplace=cutiry # claim 3
subscription_level=gold # claim 4