Querying the UserInfo Endpoint
The OpenID Connect UserInfo
endpoint is used by an application to retrieve profile information about the identity that authenticated. Applications can use this endpoint to retrieve profile information, preferences, and other user-specific information.
The OpenID Connect profile consists of two components:
-
Claims describing the user
-
UserInfo
endpoint providing a mechanism to retrieve these claimsNote:
User claims can also be presented inside the ID Token to eliminate a call back during authentication time.
User Profile Claims
The UserInfo
endpoint provides a set of claims based on the OAuth2 scopes presented in the authentication request. OpenID Connect defines five scope values that map to a specific set of default claims:
OpenID Connect Scope | Returned Claims |
---|---|
openid |
None - Indicates this is an OpenID Connect request |
profile |
name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at |
address |
address |
|
email, email_verified |
phone |
phone_number, phone_number_verified |
The client needs to present its credentials and an access token. The access token presented needs to contain the openid
scope.
If a scope is omitted (for example, the email
scope isn't used), the claim (email
) won't be present in the returned claims.
Sample UserInfo Endpoint Request Example
After the client application has authenticated a user and has the access token, the client can then make a request to the UserInfo
endpoint to retrieve the requested attributes about a user. The following example shows a request example.
curl -i
-H 'Content-Type: application/x-www-form-urlencoded'
-H 'Authorization: Bearer eyJ4NXQjUzI1....rtApFw'-H 'Accept: */*'
-H 'Content_Language: en-US'--request GET https://tenant-base-url/oauth2/v1/userinfo
Response Example
A successful response returns an HTTP 200 OK response and the user's claims in JSON format:
{
"birthdate":"",
"email":"user@example.com",
"email_verified":false,
"family_name":"user",
"gender":"",
"given_name":"user",
"appRoles":[],
"name":"alice alice",
"preferred_username":"user@example.com",
"sub":"user@example.com",
"updated_at":1495136783,"website":""
}
Before the client application can trust the values returned from the UserInfo
endpoint (for example, as a check for token substitution attack), the client must verify that the sub
claim returned from the UserInfo
endpoint request matches the subject from the ID Token.