We now have an authenticated user, the next step is to request the user profile attributes so that we can personalize their app experience and render the appropriate content to the user. This is achieved by requesting the contents of the UserInfo endpoint.

Accessing the UserInfo endpoint requires that we use the access token issued along with the authorization request. As the implicit flow transports the access token using the user agent, there is the threat of tokens being substituted during the authorization process. Before using the access token, the client should validate the at_hash value in the id_token to ensure the received access token was issued alongside the id_token.

To validate the at_hash value, see section 4.5. Once the at_hash is verified, the client can then use the access token to request the user profile:

GET https://localhost:9031/idp/userinfo.openid HTTP/1.1
Authorization: Bearer b5bU8whkHeD6k9KQK7X6lMJrdVtV

The response from the UserInfo endpoint will be a JSON structure with the requested OpenID Connect profile claims:

	...[additional claims]...

Before we can be confident the response to the UserInfo reflects the authenticated user, we must also check that the subject ("sub" claim) returned from the UserInfo endpoint matches the authenticated user we received in the id_token. In this case, the "sub" claim in both the UserInfo response and the id_token match so we can use the values in the UserInfo response for our application needs.