In the past we’ve overloaded the
id_token in OIDC responses from OAuth0 with custom claims such as the group data claims, for compatibility.
This is no longer needed and incorrect - as RPs which require a smaller
id_token would normally just request the
scope:openid and expect a small response back instead of the currently long response.
Once https://github.com/mozilla-iam/auth0-deploy/pull/269 is deployed, this will be fixed:
scope:openidwill correctly return a small
id_token, therefore allowing us to use SSO for AWS CLI authentication for example
scope:openid profileis the currently recommended scope to get full profile information back from the user, part of which is reflected in the
id_tokenat this time
scope:openid emailand other similar selection will return the requested claim (