Ferriskey
Scopes & Protocol Mappers

Aegis

Read the docs All modules

Key capabilities

Client Scopes

Named collections of claims assigned per client. Different apps get different token contents — no one-size-fits-all.

Protocol Mappers

Rules that extract data from the user and inject it as JWT claims. Map roles, attributes, or hardcoded values.

Standard OIDC

Ships with openid, profile, email, address, phone, offline_access, and introspect scopes pre-configured.

Default vs Optional

Default scopes are always included. Optional scopes are only included when the client explicitly requests them.

Custom Claims

Add business-specific claims — department, plan tier, feature flags — through custom protocol mapper rules.

Minimal Exposure

Public mobile apps get sub and email. Internal admin tools get realm_roles. Fine-grained data minimization.

How it works

1

Client requests scopes

During authentication, the client specifies which scopes it needs (e.g., openid email profile).

2

Scopes resolved

Aegis looks up the client's default scopes and merges in any requested optional scopes.

3

Mappers executed

Each protocol mapper in the resolved scopes runs — extracting data from the user object and producing claims.

4

Claims assembled

All claims are merged into the final JWT payload and signed. Only the requested data is included.

Ready to use Aegis?

Full reference, configuration options, and examples in the documentation.

Open docs

Other modules

Trident

Multi-Factor Authentication

SeaWatch

Audit & Security Events

Compass

Authentication Flow Engine

Abyss

Identity Provider Federation

Webhooks

Event-Driven Extensibility