The claims obtained as a response to the obtain information about the authenticated user operation depend on the scopes associated to the OAuth access token used for invoking the service. The scopes that this service takes into account for determining the claims to return are described below.

Predefined Scopes

The user information service accepts the following predefined scopes, which model different sets of claims that can be obtained:

Scope	Description
`profile`	Scope standardized by OpenID Connect for obtaining the user profile, except for the contact information. The associated identity attributes are: `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender`, `birthdate`, `zoneinfo`, `locale` and `updated_at`.
`email`	Scope standardized by OpenID Connect for obtaining the user's email. The associated identity attributes are `email` and `email_verified`.
`phone`	Scope standardized by OpenID Connect for obtaining the user's telephone number. The associated identity attributes are `phone_number` and `phone_number_verified`.
`urn:safelayer:eidas:external_info`	Obtaining of the identity attributes coming from the federated identity providers or other external identity sources that the user used to authenticate during the session. This scope allows obtaining the `external_info` claim.
`urn:safelayer:eidas:authn_details`	Obtaining of the details on the context and the user's authentication process. The information is obtained in the `authn_details` claim. The details obtained depend on the authentication flows applied to authenticate the user. For example, if an authentication flow was applied that includes a Context analysis step, depending on the factors included in the context analysis policy applied, the information returned may include information on the device used, the IP address, the status of the typing rhythm training and other data. Note Requesting the scope is not usual. If the application needs to know the authentication level or the methods passed by the user, it queries the `acr` and `amr` claims. These claims are always included in the response of the user information service.
`urn:safelayer:eidas:sign:identity:profile`	Obtaining of the information on the user's electronic signing identities. This scope allows obtaining the `sign_identities` claim.
`urn:safelayer:eidas:full_identity`	Obtaining of the complete set of identity attributes of the user. These attributes depend on each identity domain and sometimes may depend on the steps defined by the authentication process performed on the user. Important The use of the scope should be limited to preproduction environments and only for carrying out integration tests.

Customized Scopes

In addition, the TRIDENT administrator can define arbitrary scopes, which can optionally be associated to sets of identity attributes. See [RSE_AUTH_ADMIN] for more information. If the application requested one or more of the scopes, when it invokes the user information service, it obtains the associated identity attributes. The registered scopes can be combined with predefined scopes such as the OpenID Connect scopes.

If any of the attributes defined by the scope are not obtained (because it is not one of the attributes considered by the IdP or because there was no value for the authenticated user), it is left out of the response, even where the attribute is requested via the corresponding scope.