Once the client application has authenticated a user and is in possession of an access token, the client can then make a request to the UserInfo endpoint to retrieve the requested attributes about a user. The request will include the access token presented using a method described in RFC6750.

The UserInfo endpoint provided by PingFederate is located at: https://<pingfederate_base_url>/idp/userinfo.openid

Note: The UserInfo endpoint can also be determined by querying the OpenID Connect configuration information endpoint: https://<pingfederate_base_url>/.well-known/openid-configuration.

An example HTTP client request to the UserInfo endpoint:

GET https://pf.company.com:9031/idp/userinfo.openid HTTP/1.1

Authorization: Bearer 

A successful response will return a HTTP 200 OK response and the users claims in JSON format:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

  ...[additional claims]...

Before the client application can trust the values returned from the UserInfo endpoint (i.e. as a check for token substitution attack), the client must verify that the "sub" claim returned from the UserInfo endpoint request matches the subject from the id_token.