OAuth clients can present access tokens to the UserInfo endpoint to retrieve additional information about the resource owners.
You can customize the amount of information presented by the endpoint by using OpenID Connect policies. Information can include specification-defined attributes (standard attributes) and non-standard attributes. Scopes, authorized by the users, also determine the attributes to be returned.
This endpoint accepts HTTP GET requests without parameters. Clients must present valid access tokens for authentication.
Endpoint example: /idp/userinfo.openid
$ curl -s https://localhost:9031/idp/userinfo.openid -H 'Authorization: Bearer eyJ...9-g'|python -m json.tool
{
"email": "auser@example.com",
"phone_number": "(555) 555-5555",
"phone_number_verified": true,
"sub": "joe"
}
The self-contained access token in the Authorization HTTP header is truncated for readability.
If the access token presented is not valid, PingFederate returns 401
Unauthorized
.
Self-contained tokens
If clients using self-contained access tokens are expected to contact the UserInfo endpoint, consider the following implications.
- Client ID Claim Name
- This field's default value is
client_id
. When this field is configured with a value, PingFederate includes the client ID of the requesting client as a claim in the self-contained tokens. The claim name is the value of the Client ID Claim Name field. - Scope Claim Name
- This field's default value is
scope
. When this field is configured with a value, PingFederate includes the requested scopes as a claim in the self-contained tokens. The claim name is the value of the Scope Claim Name field.