The UserInfo endpoint will present a set of claims based on the OAuth2 scopes presented in the authentication request.

OpenID Connect defines five scope values that map to a specific set of default claims. PingFederate allows you to extend the "profile" scope via the "OpenID Connect Policy Management" section of the administration console. Multiple policy sets can be created and associated on a per-client basis.

Connect scope Returned Claims
openid None - Indicates this is an OpenID Connect request
profile name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at, *custom attributes
address address
email email, email_verified
phone phone_number, phone_number_verified
  • If a scope is omitted (i.e. the "email" scope is not present), the claim "email" will not be present in the returned claims. For custom profile attributes, prefix the value to avoid clashing with the default claim names.
  • If an OpenID Connect id_token is requested without an OAuth2 access token (i.e. when using the implicit "response_type = id_token" request), the claims will be returned in the id_token rather than the UserInfo endpoint.