UserInfo endpoint
OAuth clients can present access tokens to the UserInfo endpoint to retrieve additional information about the resource owners.
You can customize the amount of information presented by the endpoint by using OpenID Connect policies. Information can include specification-defined attributes (standard attributes) and non-standard attributes. Scopes, authorized by the users, also determine the attributes to be returned.
This endpoint accepts HTTP GET requests without parameters. Clients must present valid access tokens for authentication.
Example
Endpoint example: /idp/userinfo.openid
$ curl -s https://localhost:9031/idp/userinfo.openid -H 'Authorization: Bearer eyJ...9-g'|python -m json.tool
{
"email": "auser@example.com",
"phone_number": "(555) 555-5555",
"phone_number_verified": true,
"sub": "joe"
}
The self-contained access token in the |
If the access token presented is not valid, PingFederate returns 401
Unauthorized
.
Self-contained tokens
If clients using self-contained access tokens are expected to contact the UserInfo endpoint, consider the following implications.
- Client ID Claim Name
-
This field’s default value is
client_id
. When this field is configured with a value, PingFederate includes the client ID of the requesting client as a claim in the self-contained tokens. The claim name is the value of the Client ID Claim Name field. include::ROOT:partial$pf_rc_clientidclaimname_novalue.adoc[tags=pf_ph_clientIdClaimName_noValue]In this scenario, the access token manager (ATM) instance used by the default OpenID Connect policy must remain accessible to all clients, or clients using self-contained access tokens issued by this ATM instance will not be able to retrieve additional claims from the UserInfo endpoint. Instead, they receive an HTTP status code 401 Unauthorized from PingFederate. For more information, see Defining access control. - Scope Claim Name
-
This field’s default value is
scope
. When this field is configured with a value, PingFederate includes the requested scopes as a claim in the self-contained tokens. The claim name is the value of the Scope Claim Name field.If the field value is empty, PingFederate will not include any scope information in the self-contained token, and clients using self-contained access tokens issued by this ATM instance will not be able to retrieve additional claims from the UserInfo endpoint. Instead, they receive an HTTP status code 403 Forbidden from PingFederate.