Default Scopes

In OAuth there is a concept of a default scope, that the server can issue to the client when nothing else is requested.

This article describes how to use the default scope together with a set of default claims.

Default Scopes

In the Curity Identity Server the default scope is defined as the empty string "". This means that the default scope is always present. All clients always receive the default scope. Simply because any string always contains the empty string "".

From a claims perspective this means that it's possible to define a set of claims that always will be issued, and depending on the mapper will be present in tokens for each client.

Default Claims

If there exists a set of claims that should always be present for any client (if mapped) they could be considered default claims and mapped on the default scope.

The benefit of mapping claims to the default scope is that the client doesn't have to request any particular scope to receive these claims. They will never be forgotten.

Example

All APIs in the organization need the subscriber-id claim for any request being made on a user's behalf. Instead of adding subscriber-id to all scopes, the admin can add it to the default scope, and it will always be issued.