Hi,
In the past we’ve overloaded the id_token in OIDC responses from OAuth0 with custom claims such as the group data claims, for compatibility.
This is no longer needed and incorrect - as RPs which require a smaller id_token would normally just request the scope:openid and expect a small response back instead of the currently long response.
Once do not overload the id_token when the client only request scope:openid - we currently overload it with custom claims and that's not the intended effect by gdestuynder · Pull Request #269 · mozilla-iam/auth0-deploy · GitHub is deployed, this will be fixed:
-
scope:openidwill correctly return a smallid_token, therefore allowing us to use SSO for AWS CLI authentication for example -
scope:openid profileis the currently recommended scope to get full profile information back from the user, part of which is reflected in theid_tokenat this time -
scope:openid emailand other similar selection will return the requested claim (email) but still also add the custom Mozilla claims in addition to it.