Scopes¶

Scopes are space-separated values in the scope parameter of /oidc/authorize. They control which claims appear in the id_token and userinfo response, and which permissions the access token grants.

Standard OIDC scopes¶

Scope	Grants
`openid`	Required for any OIDC flow. Returns `sub`, `iss`, `aud`, `exp`, `iat`, `auth_time`, `nonce`.
`profile`	`name`, `given_name`, `family_name`, `picture`, `locale`, `updated_at`.
`email`	`email`, `email_verified`.
`phone`	`phone_number`, `phone_number_verified`.
`address`	`address` object.
`offline_access`	Issues a `refresh_token` so you can renew without user interaction.

Little X Little custom scopes¶

Scope	Grants
`lxl.access`	The `lxl.access` claim — array of `"Section:Subsection"` permission strings for the current app.
`lxl.app`	The `lxl.app` claim — current NGO app code. Implied by `lxl.access`.
`lxl.master`	The `lxl.master` claim — `true` if the user is a master administrator on this app.
`lxl.role`	The `lxl.role` claim — branch + position string.
`lxl.links`	The `lxl.links` claim — array of linked external providers.

Best practices¶

Request the minimum. Only ask for email if you'll send mail; only ask for profile if you'll display a name.
Add offline_access only when needed. It makes long-lived tokens — protect them.
Combine openid with at least one of profile / email — openid alone gives you only an opaque sub.