When decoding an ID token, some Claims might not show up because the Scope they are dependent upon was not requested.
- OpenID Connect
- ID Token
- Access Token
- Thin Token
The Scope that the Claims are tied to is not included in the scope parameter within the /authorize request.
When calling the/authorize endpoint, make sure that the application requests the appropriate scope(s) needed to receive the desired claim. See this Scopes documentation for a full list of the OpenID Connect Scopes and their associated Claims.
NOTE: If requesting both an Access Token and an ID Token in the same OIDC flow, the ID Token returned will be a 'thin' token. This means it will contain base claims but not profile attributes and groups. When this occurs, the client application will need to make a request from the /userinfo endpoint using the access token acquired to receive the rest of the Claims. More information can be found in the Tokens and Scopes documentation and the Attribute/Claim Missing from ID Token article.
Below is an example of how an /authorize request would look when explicitly requesting the email scope:
The above would return an access token and ID token through a redirect to https://localhost:8080/login/callback, of which the access token can be used at the /userinfo endpoint as shown below:
- The request to /userinfo with the access token:
- The response, which includes the email claim:
