<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
ID Token Is Missing Profile Values despite Requesting Profile Scope
Mar 13, 2025
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview

When using a grant type that returns both the Access Token and ID Token, the ID Token is returned in a state known as a "thin" token. The thin token contains only base user claims, a few scope-dependent claims, and any custom claims if using a custom authorization server. User profile attributes are not included in the thin ID Token, even if the profile scope has been requested.

 

This article explains why an ID Token will not contain a user's profile attributes despite the profile scope being requested in the OIDC authorization request and how to retrieve these values.

Applies To
  • Interaction Code flow
  • Authorization Code flow
  • Implicit flow
  • Resource Owner Password flow
Cause
  • This is expected behavior. As per the OIDC specifications:
    • The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint when a response_type value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for the response_type value id_token), the resulting Claims are returned in the ID Token.
  • The Interaction Code and Authorization Code flows will always return an Access Token and ID Token together.
  • The Implicit flow will return the Access Token and ID Token together if response_type=id_token+token.
  • The Resource Owner Password flow will return the Access Token and ID Token together if the openid scope is passed in the token request.
Solution

The Access Token provided can be used to call the /userinfo endpoint to return all user claims.

Alternatively, if using a custom authorization server, it is possible to create custom claims to return in the ID Token for the profile attributes that should be included without the need to make a /userinfo call.

 

Related References

Recommended content

Still looking for help?
Loading
ID Token Is Missing Profile Values despite Requesting Profile Scope