Default Claims Supported
This is the default claims supported by Authway, but custom support can be added for more/other claims in a customer instance. The scope that the claims belong to is also the default, but could differ for a specific customer.
| Scope | Claim | Description |
|---|---|---|
| openid | sub | A unique value identifying the user. |
| openid | tid | A unique value identifying the tenant the user belongs to. |
| profile | family_name | The surname of the user. For example “Doe”. |
| profile | given_name | The given name of the user. For example “Joe”. |
| profile | name | The full name of the user (given_name + ’ ’ + family_name). For example “Joe Doe”. |
| profile | preferred_username | The user name used during sign-in, most commonly the e-mail address. |
| profile | picture | A URL with a user picture taken from Gravatar or the initials if the user does not have a Gravatar picture. |
| The email address of the user. Could exists twice if the user has another e-mail registered on the person. | ||
| email_verified | True if the email address have been verified and it is always the same e-mail address used as user name that are confirmed (or not). | |
| phone | phone_number | The phone number of the user. |
| phone | phone_number_verified | True if the phone number have been verified; otherwise False. |
| org | orgid | The unique identifier for the organisation the user belongs to. Will be the same as tid for users belonging to the mother organisation, but could be different for users belonging to a subsidiary. |
| org | orgin | The organisation number identifying the organisation, if the value exists. |
| org | company_name | The name of the organisation. |
| roles | role | The name of the group the user belongs to. Zero, one or more claims of this type could exists depending on the number of groups the user belongs to. |
| perms | perm | The unique identifier of a permission that the user have. Zero, one or more claims of this type could exists depending on the number of permissions the user got. |
Protocol claims
| Claim | Description |
|---|---|
| amr | The authentication used when the user signed in. The value would be pwd for password or external for an external identity provider (idp). More than one amr claim can exists. For example if multi-factor authentication is used there will be an amr claim with the mfa value. |
| idp | The identity provider used when amr is external or local if the user used a password to sign-in. |
| auth_time | The time the user authenticated. Could be used to evaluate if a re-authentication is required. |
There are more protocol claims, but those are the most commonly used claims by developers themselves.
Special claims
Impersonated users
If a user is impersonated there will be an act claim with a serialized json structure with standard claims from the original user performing the impersonation. For example:
"act": {
"oid":"d5542f98-8a6f-6d2a-cda0-39fc52ae2b58",
"sub":"295A0000-E969-E6E6-3826-08DB0DD1E036",
"tid":"a27446b6-795e-4ccc-1da6-39fc52ae2b37"
}If impersonation is used there will also be a second amr claim with the value imp (for impersonate).
Linked accounts
If linked account are used the sub claim will have the same value for all linked accounts (that is the definition of linked accounts) which means that it is not unique over all tenants anymore. In that case a oid claim (object id) is also issued with a true unique identifier over all tenants.
For linked accounts the a may_login claim is also issued for org scope, which contains a serialized JSON array with information about other organisations that the user could switch to. For example:
"may_login": {
[{
"oid":"d5542f98-8a6f-6d2a-cda0-39fc52ae2b58",
"tid":"ffffffff-ffff-ffff-ffff-ffffffffffff",
"companyname": "Privatpersoner"
}]
}