Hi @testuser7 ,
Thanks for reaching out.
I understand that you are trying to understand the unique behaviour of “openid” scope from other scope values.
OpenIDConnect is the top layer of OAuth for authentication. So, when we are using OIDC (scope=openid
in authentication request), it will return IDToken which contains user’s information.
The scope parameter must have "openid" as a mandatory scope and it will return a sub claim which represents a unique identifier for the authenticated user.
Along with openID, profile and email are built in scopes provided by openID connect so application can request access to large amount of information about the user which is required for authentication.
Profile request access to default user’s claims (name, profile, picture) which can be used with openid scope and any other scope.
email request access to email only if an email address is associated with the user account.
There is no consent required either from user or admin for “openid” as it is mandatory scope to obtain user’s information based on the user’s credentials passed.
As there are no permissions granted by user or admin to the application for “openid” scope, there is no permissions reflected for the service principal as well in Enterprise applications.
On the other hand, when you provide other scope values(mail.read, user.write) which allows your application to get consent for multiple resources, then user consent or admin consent is needed for authorization purpose and same will be reflected for Service Principal’s permissions.
Reference Doc: openid-connect-scopes
Hope this will help to clarify your query.
Thanks,
Shweta
------------------------------------------------------
Please remember to "Accept Answer" if answer helped you.