Claims are used in tokens to provide information to clients (ID token) and to resources (access token).
The configuration of claims is part of the configuration of the flow or grant that will issue the tokens that contain the claims. This allows for different claims in tokens issued by an authorization code flow or a client credentials grant.
Access tokens will only have claims if they are configured as JWT token and not opaque.
It is useful to differentiate the following types of claims:
- ID tokens and, to an extent, access tokens may contain a set of claims with a very specific semantic that is defined here: OIDC ID token claims.
- Custom claims have a business semantic and may be freely added to access and ID tokens. The values of these claims are configurable. A typical set of claims is defined here: OIDC standard claims.
- Distributed claims are part of the OIDC specification and can be used to add claims where the content is in a remote location, not in the token itself.