Issue UserInfo Response - Authlete Documentation

Full description

This API is supposed to be called from within the implementation of the userinfo endpoint of the authorization server in order to generate an ID token. Before calling this API, a valid response from /auth/userinfo API must be obtained. Then, call this API with the access token contained in the response and the claims values of the user (subject) associated with the access token. See OK written in the description of /auth/userinfo API for details. The response from /auth/userinfo/issue API has various parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the service implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete. In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of “500 Internal Server Error”. The parameter responseContent returns a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation can use the value of responseContent as the value ofWWW-Authenticate header. The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

HTTP/1.1 500 Internal Server Error
WWW-Authenticate: &#123;responseContent&#125;
Cache-Control: no-store
Pragma: no-cache

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the request from the client application does not contain an access token (= the request from the authorization server implementation to Authlete does not contain token parameter). The parameter responseContent returns a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation can use the value of responseContent as the value ofWWW-Authenticate header. The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

HTTP/1.1 400 Bad Request
WWW-Authenticate: &#123;responseContent&#125;
Cache-Control: no-store
Pragma: no-cache

UNAUTHORIZED

When the value of action is UNAUTHORIZED, it means that the access token does not exist, has expired, or is not associated with any subject (= any user account). The parameter responseContent returns a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation can use the value of responseContent as the value ofWWW-Authenticate header. The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

HTTP/1.1 401 Unauthorized
WWW-Authenticate: &#123;responseContent&#125;
Cache-Control: no-store
Pragma: no-cache

FORBIDDEN

When the value of action is FORBIDDEN, it means that the access token does not include the openid scope. The parameter responseContent returns a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation can use the value of responseContent as the value ofWWW-Authenticate header. The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

HTTP/1.1 403 Forbidden
WWW-Authenticate: &#123;responseContent&#125;
Cache-Control: no-store
Pragma: no-cache

JSON

When the value of action is JSON, it means that the access token which the client application presented is valid and an ID token was successfully generated in the format of JSON. The userinfo endpoint implementation is expected to generate a response to the client application. The content type of the response must be application/json and the response body must be an ID token in JSON format. The value of responseContent is the ID token in JSON format when action is JSON, so a response to the client can be built like below.

HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
&#123;responseContent&#125;

JWT

When the value of action is JWT, it means that the access token which the client application presented is valid and an ID token was successfully generated in the format of JWT (JSON Web Token) (RFC 7519). The userinfo endpoint implementation is expected to generate a response to the client application. The content type of the response must be application/jwt and the response body must be an ID token in JWT format. The value of responseContent is the ID token in JSON format when action is JWT, so a response to the client can be built like below.

HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/jwt
&#123;responseContent&#125;

Authorizations

Authorization

string

header

required

Authenticate every request with a Service Access Token or Organization Token. Set the token value in the Authorization: Bearer <token> header.

Service Access Token: Scoped to a single service. Use when automating service-level configuration or runtime flows.

Organization Token: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.

Both token types are issued by the Authlete console or provisioning APIs.

Path Parameters

serviceId

string

required

A service ID.

Body

token

string

required

The access token that has been passed to the userinfo endpoint by the client application. In other words, the access token which was contained in the userinfo request.

claims

string

Claims in JSON format. As for the format, see OpenID Connect Core 1.0, 5.1. Standard Claims.

sub

string

The value of the sub claim. If the value of this request parameter is not empty, it is used as the value of the sub claim. Otherwise, the value of the subject associated with the access token is used.

claimsForTx

string

Claim key-value pairs that are used to compute transformed claims.

requestSignature

string

The Signature header value from the request.

headers

object[]

HTTP headers to be included in processing the signature. If this is a signed request, this must include the Signature and Signature-Input headers, as well as any additional headers covered by the signature.

Show child attributes

verifiedClaimsForTx

string[]

Values of verified claims requested indirectly by "transformed claims".

Response

User info issued successfully

resultCode

string

The code which represents the result of the API call.

resultMessage

string

A short message which explains the result of the API call.

action

enum<string>

The next action that the authorization server implementation should take.

Available options:

INTERNAL_SERVER_ERROR,

BAD_REQUEST,

UNAUTHORIZED,

FORBIDDEN,

JSON,

JWT

responseContent

string

The content that the authorization server implementation can use as the value of WWW-Authenticate header on errors.

signature

string

The signature header of the response message.

signatureInput

string

The signature-input header of the response message

contentDigest

string

The content-digest header of the response message

Authlete

​INTERNAL_SERVER_ERROR

​BAD_REQUEST

​UNAUTHORIZED

​FORBIDDEN

​JSON

​JWT

Authorizations

Path Parameters

Body

Response

INTERNAL_SERVER_ERROR

BAD_REQUEST

UNAUTHORIZED

FORBIDDEN

JSON

JWT