OpenID Connect UserInfo Endpoint

1. Retrieving Details About Logged-In User

The UserInfo endpoint is an OAuth 2.0 protected resource of the cidaas server where client applications can retrieve consented claims, or assertions, about the logged in end-user. The claims are typically packaged in a JSON object where the sub member denotes the subject (end-user) identifier. Clients may alternatively be registered to receive the claims in a JWT.

    {
    "_id": "92b5d56e-2ad1-425d-89ec-8d4b562dfd77",
    "updatedTime": "2018-05-04T12:17:34.115Z",
    "createdTime": "2018-05-04T12:17:09.532Z",
    "className": "de.cidaas.core.db.EnternalSocialIdentity",
    "raw_json": "{\"sub\":\"111637156632177999180\",\"name\":\"George orwell\",\"given_name\":\"George\",\"family_name\":\"orwell\",\"picture\":\"https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg\",\"email\":\"georgeorwells17@gmail.com\",\"email_verified\":true,\"locale\":\"en\"}",
    "providerUserId": "111637156632177999180",
    "zoneinfo": "",
    "website": "",
    "profile": "",
    "picture": "https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg",
    "phone_number_verified": false,
    "phone_number": "",
    "mobile_number_verified": false,
    "mobile_number_obj": {
        "updatedTime": "2018-05-04T12:17:34.114Z",
        "createdTime": "2018-05-04T12:17:09.532Z",
        "className": "de.cidaas.core.db.MobileEntity",
        "_id": "7da7855a-406d-4762-8156-150d50a6ba67",
        "carrier_name": "Bharti Airtel Ltd",
        "carrier_type": "mobile",
        "country": "IN",
        "dail_code": "91",
        "E164_format": "+919655163637",
        "given_phone": "+919655163637",
        "international_format": "+91 96551 63637",
        "national_format": "096551 63637",
        "phone": "9655163637"
    },
    "mobile_number": "+919655163637",
    "nickname": "George",
    "middle_name": "",
    "locale": "en",
    "given_name": "George",
    "gender": "",
    "family_name": "orwell",
    "email_verified": true,
    "email": "georgeorwells17@gmail.com",
    "birthdate": "1991-03-20",
    "provider": "google",
    "sub": "b2c9704a-c2f8-47ac-ad65-6ee3f4b0e683",
    "__v": 0,
    "roles": [
        "USER"
    ],
    "name": "George orwell",
    "preferred_username": "georgeorwells17@gmail.com",
    "updated_at": 1525436254,
    "identities": [
        {
            "provider": "google",
            "identityId": "92b5d56e-2ad1-425d-89ec-8d4b562dfd77",
            "providerUserId": "111637156632177999180",
            "email": "georgeorwells17@gmail.com",
            "phone_number": "",
            "mobile_number": "+919655163637",
            "rawJson": "{\"sub\":\"111637156632177999180\",\"name\":\"George orwell\",\"given_name\":\"George\",\"family_name\":\"orwell\",\"picture\":\"https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg\",\"email\":\"georgeorwells17@gmail.com\",\"email_verified\":true,\"locale\":\"en\"}"
        }
    ],
    "customFields": {
        "gender": "Male"
    }
}

The UserInfo URL can be obtained from the server discovery endpoint and looks like this:

UserInfo URL: https://[your_cidaas_domain_url]/users-srv/userinfo

Clients must present a valid access token (of type bearer) to retrieve the UserInfo claims. Only those claims that are scoped by the token will be made available to the client.

The UserInfo endpoint is described in the OpenID Connect Core 1.0 specification.

2. Web API Overview

Resources
  • /users-srv/userinfo [GET]
  • /users-srv/userinfo [POST]
RepresentationsErrors
Claims
  • 404 Not Found
  • 500 Internal Server Error

3. Resources

3.1 /users-srv/userinfo

3.1.1 GET

Retrieves the consented UserInfo and other claims about the logged-in subject (end-user).

Header Parameters:

  • Authorization The Bearer access token, scoped to retrieve the consented claims for the subject (end-user).

Success:

  • Code: 200
  • Content-Type: application/json or application/x-www-form-urlencoded
  • Body: {object|jwt} The consented claims, packaged in a JSON object or a JSON Web Token (JWT) (depending the registered client setting).

Errors:

  • 401 Unauthorized
  • 500 Internal Server Error

Example: request to get the claims for a logged-in user:

GET /users-srv/userinfo HTTP/1.1
Host: sampleeshop.cidaas.de
Authorization: Bearer Gp7b5hiURKpWzEXgMJP38EnYimgxlBC1PpS2zGXUqe

Example: response returning the consented claims as a JSON object:

HTTP/1.1 200 OK
Content-Type: application/json

    {
    "_id": "92b5d56e-2ad1-425d-89ec-8d4b562dfd77",
    "updatedTime": "2018-05-04T12:17:34.115Z",
    "createdTime": "2018-05-04T12:17:09.532Z",
    "className": "de.cidaas.core.db.EnternalSocialIdentity",
    "raw_json": "{\"sub\":\"111637156632177999180\",\"name\":\"George orwell\",\"given_name\":\"George\",\"family_name\":\"orwell\",\"picture\":\"https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg\",\"email\":\"georgeorwells17@gmail.com\",\"email_verified\":true,\"locale\":\"en\"}",
    "providerUserId": "111637156632177999180",
    "zoneinfo": "",
    "website": "",
    "profile": "",
    "picture": "https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg",
    "phone_number_verified": false,
    "phone_number": "",
    "mobile_number_verified": false,
    "mobile_number_obj": {
        "updatedTime": "2018-05-04T12:17:34.114Z",
        "createdTime": "2018-05-04T12:17:09.532Z",
        "className": "de.cidaas.core.db.MobileEntity",
        "_id": "7da7855a-406d-4762-8156-150d50a6ba67",
        "carrier_name": "Bharti Airtel Ltd",
        "carrier_type": "mobile",
        "country": "IN",
        "dail_code": "91",
        "E164_format": "+919655163637",
        "given_phone": "+919655163637",
        "international_format": "+91 96551 63637",
        "national_format": "096551 63637",
        "phone": "9655163637"
    },
    "mobile_number": "+919655163637",
    "nickname": "George",
    "middle_name": "",
    "locale": "en",
    "given_name": "George",
    "gender": "",
    "family_name": "orwell",
    "email_verified": true,
    "email": "georgeorwells17@gmail.com",
    "birthdate": "1991-03-20",
    "provider": "google",
    "sub": "b2c9704a-c2f8-47ac-ad65-6ee3f4b0e683",
    "__v": 0,
    "roles": [
        "USER"
    ],
    "name": "George orwell",
    "preferred_username": "georgeorwells17@gmail.com",
    "updated_at": 1525436254,
    "identities": [
        {
            "provider": "google",
            "identityId": "92b5d56e-2ad1-425d-89ec-8d4b562dfd77",
            "providerUserId": "111637156632177999180",
            "email": "georgeorwells17@gmail.com",
            "phone_number": "",
            "mobile_number": "+919655163637",
            "rawJson": "{\"sub\":\"111637156632177999180\",\"name\":\"George orwell\",\"given_name\":\"George\",\"family_name\":\"orwell\",\"picture\":\"https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg\",\"email\":\"georgeorwells17@gmail.com\",\"email_verified\":true,\"locale\":\"en\"}"
        }
    ],
    "customFields": {
        "gender": "Male"
    }
}

Example response returning the consented claims as a signed JWT, which can be verified with the server’s Public RSA key:

HTTP/1.1 200 OK
Content-Type: application/json

eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzdWIiOiJhbGljZSIsImVtYWlsIjoiYWxpY2VAd29u
ZGVybGFuZC5uZXQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6IkFsaWNlIEFkYW1zIiwiYXV
kIjoiMDAwMTIzIiwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL2MyaWQiLCJmYW1pbHlfbm
FtZSI6IkFkYW1zIiwiaWF0IjoxNDEzOTg1NDAyLCJncm91cHMiOlsiYWRtaW4iLCJhdWRpdCJdfQ.FJv9UnxvQxYvlc2F_v657SIyZkjQ382Bc108O-UFh3cvkjxiO5P2sJyvcqfuGrlzgvU7gCKzTIqqrV74
EcHwGb_xyBUPOKuIJGaDKirBdnPbIXMDGpSqmBQes4tc6L8pkhZfRENIlmkP-KphI3wPd4jtko2HXAd
DFVjzK-FPic

3.1.2 POST

Retrieves the consented UserInfo and other claims about the logged-in subject (end-user).

Header Parameters:

  • Authorization The Bearer access token, scoped to retrieve the consented claims for the subject (end-user).

Success:

  • Code: 200
  • Content-Type: application/json or application/x-www-form-urlencoded
  • Body: {object|jwt} The consented claims, packaged in a JSON object or a JSON Web Token (JWT) (depending the registered client setting).

Errors:

  • 401 Unauthorized
  • 500 Internal Server Error

4. Representations

4.1 Claims

OpenID Connect specifies a set of standard claims about the end-user, which encompass typical information such as name, contact details, date of birth and locale.

The cidaas server can be set up to provide additional custom claims, such as roles and permissions.

The claims are packed as members in a JSON object, and may be nested.

Standard OpenID Connect claims:

  • sub {string} The subject (end-user) identifier. This member is always present in a claims set.
  • [ name ] {string} The full name of the end-user, with optional language tag.
  • [ given_name ] {string} The given or first name of the end-user, with optional language tag.
  • [ family_name ] {string} The surname(s) or last name(s) of the end-user, with optional language tag.
  • [ middle_name ]{string} The middle name of the end-user, with optional language tag.
  • [ nickname ] {string} The casual name of the end-user, with optional language tag.
  • [ preferred_username ] {string} The username by which the end-user wants to be referred to at the client application.
  • [ profile ]{string} The URL of the profile page for the end-user, with optional language tag.
  • [ picture ] {string} The URL of the profile picture for the end-user.
  • [ website ] {string} The URL of the end-user’s web page or blog.
  • [ email ] {string} The end-user’s preferred email address.
  • [ gender ] {"male"|"female"|?} The end-user’s gender.
  • [ birthdate ] {string} The end-user’s birthday, represented in ISO 8601:2004 YYYY-MM-DD format. The year may be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed.
  • [ zoneinfo ] {string} The end-user’s time zone, e.g. Europe/Paris or America/Los_Angeles.
  • [ locale ] {string} The end-user’s locale, represented as a BCP47 language tag. This is typically an ISO 639-1 Alpha-2 language code in lowercase and an ISO 3166-1 Alpha-2 country code in uppercase, separated by a dash. For example, en-US or fr-CA.
  • [ mobile_number ] {string} The end-user’s preferred mobile number, typically in E.164 format, for example +91 9543435147
  • [ updated_at ] {number} Time the end-user’s information was last updated, as number of seconds since the Unix epoch (1970-01-01T0:0:0Z) as measured in UTC until the date/time.

5. Errors

401 Unauthorized

The request was denied due to an invalid or missing Bearer access token. Also used to indicate that the client (registration URI) doesn’t exist on the server.

Example:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer
{
    "error": "Access denied for this resource",
    "refnumber": 1525438652048
}
500 Internal Server Error

An internal server error has occurred. Check the cidaas server logs for details.

Example:

HTTP/1.1 500 Internal Server Error



results matching ""

    No results matching ""