What are scopes in openid

Question

What are scopes in openid

Shrikant Bhagwat 81

APP1

What are scopes in openid. Does it include email & profile scope ?

app_displayname": "Apache OAuth-OIDC App",

"appid": "fb74eebd-2ec6-47aa-8387-57c8c39254db",

"appidacr": "1",

"family_name": "Bhagwat1",

"given_name": "Shrikant1",

"idtyp": "user",

"ipaddr": "141.214.17.252",

"name": "Shrikant1 Bhagwat1",

"oid": "5ce5ffdc-bb17-4bd4-a0d6-b85991873fed",

"platf": "3",

"puid": "100320044D66E733",

"rh": "1.AVAAjI3VxHBXmU2gDbQLcyseQQMAAAAAAAAAwAAAAAAAAABQABRQAA.",

"scp": "openid profile email",

"sid": "00303fa9-0205-ff1e-ed9f-7878bfef1d32",

"sub": "S_2mAURgePvmoj-sdgvTb_MWUBbdwIxWuuR65Oclb2o",

"tenant_region_scope": "NA",

"tid": "c4d58d8c-5770-4d99-a00d-b40b732b1e41",

"unique_name": "******@bhagwatsaz.net",

"upn": "******@bhagwatsaz.net",

"uti": "JGRInwt7YUixXyNz1nlJAA",

"ver": "1.0",

"wids": [

"b79fbf4d-3ef9-4689-8143-76b194e85509"

],

"xms_ftd": "lkLWnevrYwGyLNQhiooNE4tUx6oxoaXCykt5SVGxQOA",

"xms_idrel": "30 1",

"xms_st": {

"sub": "IiBvpyvj0nI1_QLn3DGE8wT8Yv7f3ICN1zRqXaOv8WA"

},

"xms_tcdt": 1625580930

Shrikant Bhagwat 81 Reputation points

2025-03-16T22:48:33.1766667+00:00
In my Apache OAuth/OIDC scope (Application Side)

OIDCProviderMetadataURL https://login.microsoftonline.com/c4d58d8c-5770-4d99-a00d-b40b732b1e41/v2.0/.well-known/openid-configuration

OIDCClientID XXXX OIDCClientSecret XXXX OIDCRedirectURI https://p-iamoauthoidctest.med.umich.edu/protected/callback OIDCCookieDomain p-iamoauthoidctest.med.umich.edu OIDCScope "openid"

I don't know why scp is showing "openid,profile,email" in decoded Access token. Is it decided by Entra or something else ?
Marcin Policht 68,535 Reputation points MVP Volunteer Moderator

2025-03-16T23:14:05.2033333+00:00
Yes, the scopes included in the access token (scp claim) are determined by Microsoft Entra ID based on multiple factors, not just the application's requested scopes.

Why is "profile" and "email" included in your token when you only requested "openid"?

Default Behavior of Microsoft Entra ID

Even if your application only requests "openid", Microsoft Entra ID often includes "profile" and "email" by default because they are commonly used for identity-related operations. This means that unless explicitly restricted, Microsoft Entra ID may automatically grant additional scopes related to user authentication.

User and Admin Consent Policies

If an admin or user previously granted consent for broader scopes (e.g., "openid profile email") for your app, Entra ID remembers this and may include them even if they’re not explicitly requested. Check in Enterprise Applications > Your App > Permissions to see if broader scopes were granted.

Implicit Scope Inclusions in Entra ID

Microsoft documentation states that "profile" and "email" are often bundled with "openid" for user authentication scenarios. If your app uses OIDC standard endpoints, Entra ID assumes you might need basic user info (hence "profile") and email-related claims (hence "email").

How to Explicitly Control Scopes?

If you want to restrict scopes strictly to only "openid", you can:

Explicitly request only "openid" in the authorization request (though Microsoft might still include default claims).

Use the "consent=select_account" parameter to force the user to approve scopes again during sign-in.

Check API permissions in Microsoft Entra ID to ensure unnecessary permissions aren't granted.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Shrikant Bhagwat 81 Reputation points

2025-03-16T23:32:17.61+00:00

I See above is App Permission. It looks like even if app side scope is "openid" scp in access token contains openid,email, profile.

I accept I had 3 scope on Entra Side with admin consent. But I removed it for testing purpose to check the behavior. I was hoping scp will show only openid.

Shrikant
Marcin Policht 68,535 Reputation points MVP Volunteer Moderator

2025-03-16T23:35:44.3666667+00:00

Even after removing "profile" and "email" permissions from Entra ID, the access token may still include them due to Microsoft Entra ID’s caching and implicit scope behavior. Microsoft often pre-populates common identity-related scopes like "profile" and "email" when "openid" is requested, especially if they were previously granted consent. Additionally, permission changes may take time to reflect, as Entra ID can cache tokens and user consent settings. To force an update, try revoking user consent, clearing token caches, or requesting a new token using a fresh incognito session.

hth
Marcin
Shrikant Bhagwat 81 Reputation points

2025-03-17T00:12:47.5066667+00:00

I deleted the app & recreated app in Entra. Changed Client ID & Secret in Apache OAuth/OIDC side according to new app. Just added openid scope. Still I see scp as openid, email, profile in Access Token. So I think it may be MS Entra adding profile & email scope (besides openid)

How do i control attributes exposed in scopes ?

Rather that email, i will prefer UPN.

Thanks

Shrikant
Marcin Policht 68,535 Reputation points MVP Volunteer Moderator

2025-03-17T01:31:20.2433333+00:00

Yep - AFAIK, Microsoft Entra ID automatically includes "profile" and "email" scopes when "openid" is requested, as part of its standard OIDC behavior. To control which attributes are exposed, you can use Microsoft Entra ID Claims Mapping Policy to customize the claims in the token. If you prefer User Principal Name (UPN) instead of email, you can modify the ID token claims by configuring optional claims in the App Registration under Token configuration. Add upn under ID token while ensuring that email is removed from optional claims. Additionally, in Microsoft Graph API permissions, avoid assigning "email" scope explicitly.

hth

Marcin
Shrikant Bhagwat 81 Reputation points

2025-03-17T01:55:53.08+00:00

Answer accepted by question author

0 additional answers

Your answer

Shrikant Bhagwat 81 Reputation points

2025-03-16T22:48:33.1766667+00:00

In my Apache OAuth/OIDC scope (Application Side)

OIDCProviderMetadataURL https://login.microsoftonline.com/c4d58d8c-5770-4d99-a00d-b40b732b1e41/v2.0/.well-known/openid-configuration

OIDCClientID XXXX OIDCClientSecret XXXX OIDCRedirectURI https://p-iamoauthoidctest.med.umich.edu/protected/callback OIDCCookieDomain p-iamoauthoidctest.med.umich.edu OIDCScope "openid"

I don't know why scp is showing "openid,profile,email" in decoded Access token. Is it decided by Entra or something else ?
Marcin Policht 68,535 Reputation points MVP Volunteer Moderator

2025-03-16T23:14:05.2033333+00:00

Yes, the scopes included in the access token (scp claim) are determined by Microsoft Entra ID based on multiple factors, not just the application's requested scopes.

Why is "profile" and "email" included in your token when you only requested "openid"?

Default Behavior of Microsoft Entra ID

Even if your application only requests "openid", Microsoft Entra ID often includes "profile" and "email" by default because they are commonly used for identity-related operations. This means that unless explicitly restricted, Microsoft Entra ID may automatically grant additional scopes related to user authentication.

User and Admin Consent Policies

If an admin or user previously granted consent for broader scopes (e.g., "openid profile email") for your app, Entra ID remembers this and may include them even if they’re not explicitly requested. Check in Enterprise Applications > Your App > Permissions to see if broader scopes were granted.

Implicit Scope Inclusions in Entra ID

Microsoft documentation states that "profile" and "email" are often bundled with "openid" for user authentication scenarios. If your app uses OIDC standard endpoints, Entra ID assumes you might need basic user info (hence "profile") and email-related claims (hence "email").

How to Explicitly Control Scopes?

If you want to restrict scopes strictly to only "openid", you can:

Explicitly request only "openid" in the authorization request (though Microsoft might still include default claims).

Use the "consent=select_account" parameter to force the user to approve scopes again during sign-in.

Check API permissions in Microsoft Entra ID to ensure unnecessary permissions aren't granted.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Shrikant Bhagwat 81 Reputation points

2025-03-16T23:32:17.61+00:00

I See above is App Permission. It looks like even if app side scope is "openid" scp in access token contains openid,email, profile.

I accept I had 3 scope on Entra Side with admin consent. But I removed it for testing purpose to check the behavior. I was hoping scp will show only openid.

Shrikant
Marcin Policht 68,535 Reputation points MVP Volunteer Moderator

2025-03-16T23:35:44.3666667+00:00

Even after removing "profile" and "email" permissions from Entra ID, the access token may still include them due to Microsoft Entra ID’s caching and implicit scope behavior. Microsoft often pre-populates common identity-related scopes like "profile" and "email" when "openid" is requested, especially if they were previously granted consent. Additionally, permission changes may take time to reflect, as Entra ID can cache tokens and user consent settings. To force an update, try revoking user consent, clearing token caches, or requesting a new token using a fresh incognito session.

hth
Marcin
Shrikant Bhagwat 81 Reputation points

2025-03-17T00:12:47.5066667+00:00

I deleted the app & recreated app in Entra. Changed Client ID & Secret in Apache OAuth/OIDC side according to new app. Just added openid scope. Still I see scp as openid, email, profile in Access Token. So I think it may be MS Entra adding profile & email scope (besides openid)

How do i control attributes exposed in scopes ?

Rather that email, i will prefer UPN.

Thanks

Shrikant
Marcin Policht 68,535 Reputation points MVP Volunteer Moderator

2025-03-17T01:31:20.2433333+00:00

Yep - AFAIK, Microsoft Entra ID automatically includes "profile" and "email" scopes when "openid" is requested, as part of its standard OIDC behavior. To control which attributes are exposed, you can use Microsoft Entra ID Claims Mapping Policy to customize the claims in the token. If you prefer User Principal Name (UPN) instead of email, you can modify the ID token claims by configuring optional claims in the App Registration under Token configuration. Add upn under ID token while ensuring that email is removed from optional claims. Additionally, in Microsoft Graph API permissions, avoid assigning "email" scope explicitly.

hth

Marcin
Shrikant Bhagwat 81 Reputation points

2025-03-17T01:55:53.08+00:00

Answer 1

Scopes define what user information an application can request from an identity provider. The "openid" scope is mandatory in OIDC and allows authentication but does not include user profile details by itself.

From your provided data, the "scp" (scope) field includes "openid profile email", meaning that:

openid: Grants permission to authenticate the user and receive their sub (subject identifier).
profile: Allows access to basic user profile information such as name, family_name, given_name, and unique_name.
email: Grants access to the user’s email address, which typically includes the email and email_verified claims.

Since your scp field contains profile and email, your app can access both the user's profile details and email address along with authentication.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Share via

What are scopes in openid

0 additional answers

Your answer