ZITADEL supports the usage of scopes as way of requesting information from the IAM and also instruct ZITADEL to do certain operations.
|openid||When using openid connect this is a mandatory scope|
|profile||Optional scope to request the profile of the subject|
|Optional scope to request the email of the subject|
|address||Optional scope to request the address of the subject|
|offline_access||Optional scope to request a refresh_token (only possible when using code flow)|
This feature is not yet released
In addition to the standard compliant scopes we utilize the following scopes.
|By using this scope a client can request the claim urn:zitadel:iam:roles to be asserted when possible. As an alternative approach you can enable all roles to be asserted from the project a client belongs to.|
|When requesting this scope ZITADEL will enforce that the user is a member of the selected organization. If the organization does not exist a failure is displayed. It will assert the |
|When requesting this scope ZITADEL will enforce that the user is a member of the selected organization and the username is suffixed by the provided domain. If the organization does not exist a failure is displayed|
|By adding this scope, the requested projectid will be added to the audience of the access token|
|By adding this scope, the ZITADEL project ID will be added to the audience of the access token|
|By adding this scope, the metadata of the user will be included in the token. The values are base64 encoded.|
|By adding this scope, the resourceowner (id, name, primary_domain) of the user will be included in the token.|
|By adding this scope the user will directly be redirected to the identity provider to authenticate. Make sure you also send the primary domain scope if a custom login policy is configured. Otherwise the system will not be able to identify the identity provider.|