Is "scope" a standard claim?

Question

Is there any standard scope claim in OpenID Connect, JWT or OAuth?

In the IdentityServer 4 documentation, there is a "scope" which is a space-separated string.

{
  "client_id": "mobile_app",
  "sub": "123",
  "scope": "read write delete"
}

But from my IdentityServer 4 instance, I get a "scope" claim in the access token which is a array of strings.

{
  // ...
  "client_id": "mobile_app",
  "sub": "123",
  "scope": [ "openid", "profile", "email", "offline_access" ],
  "amr": [ "pwd" ]
}

In the OpenID Connect Core 1.0 specification, I do not see "scope" listed as a claim. In the RFC 7519 JSON Web Token (JWT) specification, I do not see "scope" listed as a claim.

Answer 1

The scope claim was standardized by the Token Exchange RFC. According to the spec it should be a JSON string, with a space-separated scope tokens.

The value of the "scope" claim is a JSON string containing a space-separated list of scopes associated with the token...

Answer 2

Most providers supports the AT+JWT token type and in it is specified that it should include a scope claim:

• JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

It says:

If an authorization request includes a scope parameter, the corresponding issued JWT access token SHOULD include a "scope" claim as defined in Section 4.2 of RFC8693.

All the individual scope strings in the "scope" claim MUST have meaning for the resources indicated in the "aud" claim. See Section 5 for more considerations about the relationship between scope strings and resources indicated by the "aud" claim.