OAuth clients can optionally present access tokens to the UserInfo endpoint for the purpose of retrieving additional information about their users, the resource owners. The amount of information is customizable through the use of one or more OpenID Connect policies. Information may include specification-defined attributes (standard attributes) and non-standard attributes. Scopes, authorized by the users, also determines the attributes to be returned.
This endpoint is only active when the OAuth AS role and the OpenID Connect protocol are enabled on the screen.
This endpoint accepts HTTP GET requests without parameter. Clients must present valid access tokens for authentication.
Endpoint: /idp/userinfo.openid
- Example
-
$ curl -s https://localhost:9031/idp/userinfo.openid -H 'Authorization: Bearer eyJ...9-g'|python -m json.tool { "email": "auser@example.com", "phone_number": "(555) 555-5555", "phone_number_verified": true, "sub": "joe" }Note that the self-contained access token in the Authorization HTTP header is truncated for readability.
If the access token presented is not valid, PingFederate returns to the client HTTP status code 401 Unauthorized.
Self-contained tokens
If clients using self-contained access tokens are expected to contact the UserInfo endpoint, care must be taken when configuring the Client ID Claim Name and Scope Claim Name settings in the Access Token Management (ATM) instance (or instances) that these clients use.
- Client ID Claim Name
- The default value of this field is
client_id. When this field is configured with a value, PingFederate includes the client ID of the requesting client as a claim in the self-contained tokens. The claim name is the value of the Client ID Claim Name field. - Scope Claim Name
- The default value of this field is
scope. When this field is configured with a value, PingFederate includes the requested scopes as a claim in the self-contained tokens. The claim name is the value of the Scope Claim Name field.