Scopes provide a way to limit the amount of access that is granted to an access token.
They are used both in OAuth2 and OpenIDConnect. However, OpenIDConnect extends the usage of scopes.
OAuth2 vs OpenIDConnect
You can implement your API's to enforce a restriction of a combination of scopes. So, when a client receives a token that has "READ" scope, and it uses this token to call an API endpoint that requires "WRITE" access, the call will fail.
OAuth scopes are defined as a list of names in the metadata.
OAuth scopes are applied on the API Service Providers in IDhub. There you define which scope(s) are allowed to access certain API locations and methods.
OpenIDConnect in an extension to OAuth2, so the principles covered by OAuth2 still apply. But in addition, A Service Provider can request additional user information (=claims) from the IDP (provided in an ID Token, in addition to an Access Token).
Pre-defined sets of Claims can be requested using specific scope values. Although not currently supported by IDHub, individual Claims can also be requested using the claims request parameter.
A scope called 'openid' MUST be included in an Authorization request, to make it as an OpenIDConnect request. Otherwise, the request will be made as an OAuth2 request.