PSA: New change for relying parties: `scope:openid` will no longer overload the id_token


In the past we’ve overloaded the id_token in OIDC responses from OAuth0 with custom claims such as the group data claims, for compatibility.

This is no longer needed and incorrect - as RPs which require a smaller id_token would normally just request the scope:openid and expect a small response back instead of the currently long response.

Once is deployed, this will be fixed:

  • scope:openid will correctly return a small id_token, therefore allowing us to use SSO for AWS CLI authentication for example

  • scope:openid profile is the currently recommended scope to get full profile information back from the user, part of which is reflected in the id_token at this time

  • scope:openid email and other similar selection will return the requested claim (email) but still also add the custom Mozilla claims in addition to it.

1 Like