"scope" 是标准声明吗?

Is "scope" a standard claim?

OpenID Connect、JWT 或 OAuth 中是否有任何标准 scope 声明?

IdentityServer 4 documentation 中,有一个“范围”,它是一个 space 分隔的字符串。

{
  "client_id": "mobile_app",
  "sub": "123",
  "scope": "read write delete"
}

但是从我的 IdentityServer 4 实例中,我在访问令牌中得到了一个“范围”声明,它是一个字符串数组。

{
  // ...
  "client_id": "mobile_app",
  "sub": "123",
  "scope": [ "openid", "profile", "email", "offline_access" ],
  "amr": [ "pwd" ]
}

OpenID Connect Core 1.0 规范中,我没有看到“范围”列为声明。 在 RFC 7519 JSON Web 令牌 (JWT) 规范中,我没有看到“范围”列为声明。

大多数提供者都支持 AT+JWT 令牌类型,并且在其中指定它应该包含范围声明:

它说:

If an authorization request includes a scope parameter, the corresponding issued JWT access token MUST include a scope claim as defined in section 4.2 of [TokenExchange].

All the individual scopes strings in the scope claim MUST have meaning for the resource indicated in the aud claim.

scope 声明由 Token Exchange RFC 标准化。根据规范,它应该是一个 JSON 字符串,具有 space 分隔的范围标记。

The value of the "scope" claim is a JSON string containing a space-separated list of scopes associated with the token...