Is it possible for a claim to have multiple scopes?

[davidbasalla]

I would like to provide an all_data scope that acts as a summary of more focused scopes (eg profile and email), like so:

  claims do
    # Profile scope
    claim :given_name, scope: :profile do |user, scopes, access_token|
      user.first_name
    end

    # Email scope
    claim :email, scope: :email do |user, scopes, access_token|
     user.email
    end
  
    # All data scope
    claim :given_name, scope: :all_data do |user, scopes, access_token|
      user.first_name
    end
    claim :email, scope: :all_data do |user, scopes, access_token|
     user.email
    end
  end

From my testing, this currently breaks scope requests for just profile or email, because the claims OpenStruct (from ClaimsBuilder) uses the claim symbols as keys, thereby overwriting duplicate claim definitions and only storing the claims under the all_data scope.

I also can't find in the OIDC spec whether it should be possible to have claims assigned to multiple scopes - does anyone know?

[toupeira]

@davidbasalla sorry for the late response!

I don't think this is currently possible, maybe one solution could be to let the scope: argument support arrays, so you'd have scope: [:profile, :all_data] etc.?

At

doorkeeper-openid_connect/lib/doorkeeper/openid_connect/claims_builder.rb

Line 12 in 99c8a51

if access_token.scopes.exists?(claim.scope) && claim.response.include?(response)

we could then check if any of the defined scopes are present in the access token.

PRs welcome, unfortunately I don't have time to look into this myself 🙂