Claims query parameter support

vvc · March 24, 2026, 9:17pm

Hey folks,

I’m playing around with the OIDC (see section 5.5: OIDC Core) in Keycloak and expected it to return only the claims I ask for.

I’m sending something like:

http://<keycloak-server>/realms/<realm-name>/protocol/openid-connect/auth?
client_id=<client-id>
&redirect_uri=<redirect-uri>
&response_type=code
&scope=openid profile
&claims={"userinfo":{"<claim-name>":{"essential":true}}}

But Keycloak just returns all the mapped claims anyway, not only the one I requested.

Is that just how Keycloak works?
Does it actually support filtering via the claims parameter, or is it ignored?

And if it is supported, is there any way to make it return only the requested claims?

robson90 · March 25, 2026, 11:38am

Hey, I think there is a misunderstanding here.

You are NOT asking for claims, you are asking for a Scope.

A Scope can contain 0…X Mappers → Claim.

Please check the ClientScope Tab on your configured Client. There is a list with Default Scopes(They are always evaluated) and Optional Scopes(Those are only on request).

Please be aware, that oidc is default.

In your receiving token, you can see what scopes are applied. Without any Scope param, you will get only the default ones.

vvc · March 26, 2026, 3:26pm

Thanks for the clarification! That makes sense.

But I have a follow-up question: what if I have a single scope that contains 2 mappers — for example, the profile scope which contains both given_name and family_name — could I use the claims parameter to request only given_name in the ID Token?

I tried something like:

scope=openid profile
&claims={"id_token":{"given_name":null}}

But Keycloak returned all claims from profile anyway, ignoring the filter.

According to the OIDC, the claims parameter should allow requesting individual claims regardless of scopes. Is this filtering behavior simply not supported in Keycloak? If not, is the only reliable approach to have one mapper per scope?

dasniko · March 26, 2026, 3:40pm

According to the spec, one can request individual claims in addition to the claims returned by the scopes. The claims parameter is for extending, not for filtering.

Topic		Replies	Views
Scope and Claims parameters are not forwarded to another OIDC provider Getting advice admin-console , oidc	2	565	January 20, 2021
Provide Additional claims when getting access token Getting advice authentication	19	16171	March 28, 2024
Is there a way to map roles with their corresponding scopes in a single claim in keycloak OAuth token Getting advice authentication , oidc	1	588	July 15, 2021
Google oAuth2 SSO / Role Mapper for Google GSuite Groups Getting advice	8	3023	October 8, 2022
How to configure claims request parameter to external OpenID Connect Identity Provider Configuring the server	8	10718	April 20, 2023

Claims query parameter support

Related topics