1. Yes, the attributes must be active. 2. Yes, the scope needs to be type openid. Also, you must explicitly release this scope to the client in question (or make it a default scope available to any dynamically registered client).

The attributes within the claim, attributes can be set as 'not defined' - is this okay, or if they are within a claim do they need to be set as 'OpenID' (asking if the attributes within a claim need to have 'openid' set or if they're okay not being defined)? Your answer wasn't particularly clear so apologies for asking again. Does the 'view type' of attributes within a claim need to be set? (e.g. do I need to state that the view type is User, in order for user info endpoint to return claim information)? I have attached the scope to a client that I have created in OpenID - Is this sufficient?

Hi, D S. > is this okay, or if they are within a claim do they need to be set as 'OpenID' (asking if the attributes within a claim need to have 'openid' set or if they're okay not being defined)? That's correct, all attributes you wish to release as OpenID claim must be set as "OpenID" using this web UI control. > Does the 'view type' of attributes within a claim need to be set? No, it controls visibility and write permissions for attributes displayed on user's profile page in web UI. It shouldn't affect OIDC flows. >I have attached the scope to a client that I have created in OpenID - Is this sufficient? You set attribute's Usage Type as "OpenID", give it some valid claim name in "oxAuth claim name", then add it to some scope, and permit this scope to be released in your client's registration. You also need to properly configure your client's registration properties to match OIDC flows you'll be using.

Thanks for confirming that all attributes within a claim need to be set to 'openID' and not left as 'not defined'. When creating a scope (which will be attached to a client), should the scopetype be set as OpenID also? As on the GLUU docs it's just left as default? When you say, 'permit this scope to be released in your clients registration', I have added the scope to the Client (created the client in GLUU OpenID Client section) - is this sufficient enough? You also need to properly configure your client's registration properties to match OIDC flows you'll be using. < How do we do this?

> When you say, 'permit this scope to be released in your clients registration', I have added the scope to the Client (created the client in GLUU OpenID Client section) - is this sufficient enough? Yes. > How do we do this? You will have to read all related specifications and other information on how different OIDC flows operate that is available over the Internet, as well as Gluu's [own documentation](https://www.gluu.org/docs/). If you'll have some specific questions those sources won't be able to answer, you can always ask it here. We also have a variety of support subscription plans you may be interested in if you would like a more involvement from our side. Here are some links which were provided here before: - [OpenID Connect Specs](http://openid.net/connect) - [Basic Client Implementers Guide](http://openid.net/specs/openid-connect-basic-1_0.html) - [Slides from Microsoft](http://wiki.openid.net/w/file/fetch/80030063/OpenID_Connect_Overview_May_5_2014.pdf) - [Great overview from Travis Spencer](http://gluu.co/connect-deep-dive) - [Short overview on OAuth2 v. OpenID Connect](http://gluu.co/oauth2-v-openid-connect) - [New Standards Emerging for HoK Tokens](http://gluu.co/hok-standards) - [Minimalist blog from Nat Sakimura](http://nat.sakimura.org/2012/03/31/openid-connect-stripped-down-to-just-authentication) - [OpenID Connect Audiences](http://www.gluu.co/know-your-audience)

>should the scopetype be set as OpenID also? As on the GLUU docs it's just left as default? "Default" or "OpenID" is ok

The client must always request openid scope. It's required by the spec. It's enabled as a default scope in the Gluu Server CE install.