From what I understand about using OpenID Connect (over OAuth2), is that we end up with some JSON containing information about the user. That information is transported as a JSON Web Token.
➥ What are the pieces of information specifically?
- User’s email?
- User’s mobile phone number?
- User's human name?
- User’s “username” on some system?
- Some kind of unique identifier?
Looking through the OpenID Connect site, such as this page, mysteriously I cannot find any explanation of the payload at the end of a OpenID Connect transaction.
If multiple pieces of private information are provided, is there a way to ask for authorization to provide only a subset such as email address but not phone number, just like granularities of scope in a OAuth2 request for delegated authorization?
Most of what little I know about OpenID Connect came from the video presentation, OAuth 2.0 and OpenID Connect (in plain English) by Nate Barbettini of Okta.com. He explains the mechanisms & protocols very well, but did not touch on the actual content/payload.