Querying the UserInfo Endpoint

The OpenID Connect UserInfo endpoint is used by an application to retrieve profile information about the identity that authenticated. Applications can use this endpoint to retrieve profile information, preferences, and other user-specific information.

The OpenID Connect profile consists of two components:

  • Claims describing the user

  • UserInfo endpoint providing a mechanism to retrieve these claims

    Note:

    User claims can also be presented inside the ID Token to eliminate a call back during authentication time.

User Profile Claims

The UserInfo endpoint provides a set of claims based on the OAuth2 scopes presented in the authentication request. OpenID Connect defines five scope values that map to a specific set of default claims:

OpenID Connect Scope Returned Claims

openid

None - Indicates this is an OpenID Connect request

profile

name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at

address

address

email

email, email_verified

phone

phone_number, phone_number_verified

The client needs to present its credentials and an access token. The access token presented needs to contain the openid scope.

If a scope is omitted (for example, the email scope isn't used), the claim (email) won't be present in the returned claims.

Sample UserInfo Endpoint Request Example

After the client application has authenticated a user and has the access token, the client can then make a request to the UserInfo endpoint to retrieve the requested attributes about a user. The following example shows a request example.

curl -i-H 'Content-Type: application/x-www-form-urlencoded'-H 'Authorization: Bearer eyJ4NXQjUzI1....rtApFw'-H 'Accept: */*'-H 'Content_Language: en-US'--request GET https://tenant-base-url/oauth2/v1/userinfo

Response Example

A successful response returns an HTTP 200 OK response and the user's claims in JSON format:

{
"birthdate":"",
"email":"user@example.com",
"email_verified":false,
"family_name":"user",
"gender":"",
"given_name":"user",
"appRoles":[],
"name":"alice alice",
"preferred_username":"user@example.com",
"sub":"user@example.com",
"updated_at":1495136783,"website":""
}

Before the client application can trust the values returned from the UserInfo endpoint (for example, as a check for token substitution attack), the client must verify that the sub claim returned from the UserInfo endpoint request matches the subject from the ID Token.