Authn.tech
Home
  • SAML 2.0
  • OAuth 2.0
  • OIDC
  • WebAuthn / Passkey
  • MFA / TOTP
  • LDAP
  • All Tools
  • JWT Decode
  • JWT Sign
  • JWK Gen
  • JWK → PEM
  • PEM → JWK
  • PKCE Gen
  • OIDC Discovery
  • TOTP
  • WebAuthn
  • SAML Codec
  • SAML Metadata
  • SAML Response
  • X.509 Cert
  • PEM Inspect
  • Base64URL
  • LDAP Filter
  • Overview & Roles
  • OIDC Mock
  • SAML Mock
  • Mail Server
  • LDAP Directory
  • OIDC Login Demo
  • SAML Login Demo
  • 简体中文
  • English
  • Deutsch
GitHub
Home
  • SAML 2.0
  • OAuth 2.0
  • OIDC
  • WebAuthn / Passkey
  • MFA / TOTP
  • LDAP
  • All Tools
  • JWT Decode
  • JWT Sign
  • JWK Gen
  • JWK → PEM
  • PEM → JWK
  • PKCE Gen
  • OIDC Discovery
  • TOTP
  • WebAuthn
  • SAML Codec
  • SAML Metadata
  • SAML Response
  • X.509 Cert
  • PEM Inspect
  • Base64URL
  • LDAP Filter
  • Overview & Roles
  • OIDC Mock
  • SAML Mock
  • Mail Server
  • LDAP Directory
  • OIDC Login Demo
  • SAML Login Demo
  • 简体中文
  • English
  • Deutsch
GitHub
  • OpenID Connect

    • OIDC Overview
    • Core Concepts
    • Typical Flows
    • Typical Parameters and Claims Reference

Typical Parameters and Claims Reference

This page is a quick reference; for flow context, see Typical Flows; for concept explanations, see Core Concepts.

Authentication Request Parameters

Parameters sent to the authorization endpoint (from OIDC perspective, including OAuth2 base parameters):

ParameterRequiredDescription
scopeRequiredSpace-separated; must include openid, otherwise it's a plain OAuth2 request and no ID Token is returned
response_typeRequiredDetermines flow: code (recommended) / id_token / code id_token, etc.
client_idRequiredClient identifier obtained when RP registered with OP
redirect_uriRequiredCallback address, must exactly match registered value (no wildcards allowed)
stateStrongly RecommendedOpaque random value, returned as-is in callback; RP validates to prevent CSRF and can carry return path and other state
nonceRecommended for code flow, required for implicit/hybridRandom value, OP writes it as-is into ID Token's nonce claim; RP validates to prevent replay
promptOptionalControls OP interaction behavior; see prompt values table below
max_ageOptionalMaximum authentication validity in seconds; if user's last authentication exceeds this, OP must re-authenticate and return auth_time in ID Token
login_hintOptionalLogin identifier hint (e.g., email); OP can pre-fill login field, commonly used in "we already know who the user is" scenarios
acr_valuesOptionalDesired authentication context level (space-separated, by priority), e.g., require MFA; result reflected in ID Token's acr
displayOptionalDesired display mode: page / popup / touch / wap
ui_localesOptionalDesired UI language, e.g., zh-CN zh en
code_challenge / code_challenge_methodRequired for public clientsPKCE parameters; use S256 for method

ID Token Claims

Required Claims

ClaimTypeDescription
issstring (URL)Issuer, must equal OP's issuer
substring (≤255 ASCII)User's unique identifier, stable and non-reused within the same OP; use iss + sub as local primary key
audstring or arrayAudience, must include RP's client_id
expnumberExpiration time (Unix seconds)
iatnumberIssue time (Unix seconds)

Conditional/Optional Claims

ClaimWhen AppearsDescription
nonceRequired if request included nonceOriginal nonce from request, RP must match
auth_timeRequired if request included max_age, otherwise optionalUser's actual authentication time
acrOptionalAchieved authentication context level
amrOptionalAuthentication methods array, e.g., ["pwd","otp"], ["mfa"]
azpRequired if aud is multi-valuedThe client_id actually authorized
at_hashRequired if implicit/hybrid returns access_tokenaccess token hash left half, prevents token substitution
c_hashRequired if hybrid returns codeAuthorization code hash left half
sidOptionalOP-side session ID, used by Back-Channel Logout to locate RP session

Standard Claims Overview (Grouped by Scope)

These claims appear in UserInfo response or ID Token:

scope=profile

ClaimTypeDescription
namestringFull name (for display)
given_namestringGiven name
family_namestringFamily name
middle_namestringMiddle name
nicknamestringNickname
preferred_usernamestringPreferred username; may change and may be non-unique, cannot be used as primary key
picturestring (URL)Avatar URL
profilestring (URL)Personal profile page
websitestring (URL)Personal website
genderstringGender
birthdatestringBirthdate, YYYY-MM-DD or YYYY (0000 means only month-day provided)
zoneinfostringTimezone, e.g., Asia/Shanghai
localestringLocale, e.g., zh-CN
updated_atnumberProfile last update time (Unix seconds)

scope=email

ClaimTypeDescription
emailstringEmail address
email_verifiedbooleanWhether email is verified by OP; must check it is true before doing business logic based on email matching

scope=phone

ClaimTypeDescription
phone_numberstringPhone number, recommended E.164 format, e.g., +8613800138000
phone_number_verifiedbooleanWhether verified

scope=address

ClaimTypeDescription
addressJSON objectContains subfields formatted, street_address, locality, region, postal_code, country

Discovery Document Key Fields

Key fields in /.well-known/openid-configuration most commonly used by RP:

FieldDescription
issuerOP identifier, must match the issuer used to request this document; also the expected value of ID Token's iss
authorization_endpointAuthentication/authorization endpoint
token_endpointToken endpoint
userinfo_endpointUser info endpoint
jwks_uriPublic key set (JWKS) address
end_session_endpointRP-Initiated Logout endpoint (defined by RP-Initiated Logout spec)
registration_endpointDynamic client registration endpoint (if supported)
scopes_supportedList of supported scopes
response_types_supportedSupported response_type values
subject_types_supportedpublic / pairwise
id_token_signing_alg_values_supportedID Token signing algorithms; RP sets whitelist based on this
token_endpoint_auth_methods_supportedToken endpoint client authentication methods, e.g., client_secret_basic, private_key_jwt
claims_supportedList of returnable claims (informational)
code_challenge_methods_supportedSupported PKCE methods; should include S256
frontchannel_logout_supported / backchannel_logout_supportedWhether Front-Channel/Back-Channel Logout is supported

prompt Values

ValueBehaviorTypical Use
noneOP must not display any interaction UI; returns error (e.g., login_required) if no active session or interaction neededSilent login state check / SSO probe / token refresh
loginForce re-authentication, even if a session existsStep-up verification before sensitive operations
consentForce re-display of authorization confirmation pageRequire user to re-grant permissions
select_accountDisplay account selection UIUser has multiple accounts, allow switching

prompt values can be combined (e.g., login consent), but none cannot be used with other values.

OIDC-Specific Error Codes

Beyond OAuth2 error codes (invalid_request, access_denied, invalid_grant, etc.; see OAuth2 documentation), OIDC adds these at the authorization endpoint:

Error CodeMeaningCommon Trigger
login_requiredUser login is required, but interaction is not allowedprompt=none and OP has no active session
consent_requiredUser authorization confirmation is required, but interaction is not allowedprompt=none and this client has not obtained consent
interaction_requiredSome user interaction is needed, but interaction is not allowedprompt=none fallback error
account_selection_requiredUser needs to select an account, but interaction is not allowedprompt=none and multiple account sessions exist
invalid_request_urirequest_uri cannot be fetched or content is invalidUsing PAR/request_uri scenarios
invalid_request_objectrequest object (JWT) is invalidUsing signed request object (JAR) scenarios
request_not_supported / request_uri_not_supportedOP does not support request(_uri) parameterCapability mismatch
registration_not_supportedOP does not support registration parameterCapability mismatch

Tips

login_required is a normal signal, not a failure: when silent refresh (prompt=none) receives it, fall back to one normal interactive login.

Troubleshooting Quick Reference

SymptomCommon Cause
Callback reports redirect_uri_mismatch / invalid_requestredirect_uri doesn't exactly match registered value (protocol, port, trailing slash, case)
Token response lacks id_tokenRequest scope is missing openid
ID Token validation fails: iss mismatchissuer config inconsistently has/lacks trailing slash; multi-tenant OP using wrong tenant URL
ID Token validation fails: signature invalid / cannot find kidJWKS cache expired (OP rotated keys), need to refresh JWKS; or environment misconfigured with wrong OP's JWKS
ID Token validation fails: aud mismatchUsed a different app's client_id; or validating token issued to another client
nonce validation failsSession lost (callback landed on different instance with unshared session), or Cookie's SameSite setting causes callback request to lose session Cookie
invalid_grant (token exchange fails)Authorization code already used/expired (code is single-use, watch for browser prefetch or duplicate callbacks); PKCE code_verifier doesn't match code_challenge; redirect_uri differs from authorization request
prompt=none always returns login_requiredOP has no session (browser blocking third-party cookies is a common root cause); or OP requires re-consent
Still logged in after logout, refresh shows login stateOnly cleared RP session without redirecting to end_session_endpoint, being silently re-logged by OP's SSO session
Logout doesn't redirect back to apppost_logout_redirect_uri not registered at OP side, or didn't carry id_token_hint so OP cannot associate client
Cannot get email/name and other claimsDidn't request corresponding scope; or OP returns these claims only via UserInfo, not in ID Token
Intermittent exp/iat validation failuresServer clock drift, configure NTP and allow ≤5 minute clock skew
Last updated: 7/6/26, 7:49 AM
Contributors: linux, Claude Opus 4.8
Prev
Typical Flows