ReferenceScopes
OAuth2 scopes
Standard OIDC scopes and Olympus-specific conventions
OAuth2 scopes describe what a token can do. Standard OIDC scopes are universal; custom scopes are per-app.
Standard OIDC scopes
| Scope | Description |
|---|---|
openid | Required to receive an ID token. Without it, the OAuth2 flow returns only an acc |
profile | Profile-related claims: name, given_name, family_name, `preferred_username |
email | email and email_verified claims. |
offline_access | Request a refresh token. Required for long-lived sessions. |
address | Postal address claims. Olympus doesn't ship this by default; available if you ad |
phone | phone_number, phone_number_verified. Add to schema if you collect phone. |
Olympus conventions
| Scope | Description |
|---|---|
groups | Custom claim with array of group memberships. Used by ArgoCD, Grafana, etc. for |
role | Custom single-string role claim. admin, user, etc. |
api:read | Example custom scope, read access to your API. |
api:write | Example custom scope, write access. |
admin | Example custom scope, admin operations. |
See Cookbook, Add OAuth2 scope to define your own.