Process UserInfo Request
This API gathers information about a user.
Description
This API is supposed to be called from within the implementation of the userinfo endpoint
of the authorization server in order to get information about the user that is associated with
an access token.
The response from /auth/userinfo API has various parameters. Among them, it is action parameter
that the authorization server implementation should check first because it denotes the next action
that the authorization server implementation should take. According to the value of action, the
service implementation must take the steps described below.
INTERNAL_SERVER_ERROR
When the value of action is INTERNAL\_SERVER\_ERROR, it means that the request from the authorization
server implementation was wrong or that an error occurred in Authlete. In either case, from the
viewpoint of the client application, it is an error on the server side. Therefore, the service
implementation should generate a response to the client application with HTTP status of “500 Internal
Server Error”.
The value of responseContent is a string which describes the error in the format of RFC 6750
(OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation can use the value of responseContent
as the value ofWWW-Authenticate header.
The following is an example response which complies with RFC 6750. Note that OpenID Connect Core
1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo
Response for details.
HTTP/1.1 500 Internal Server Error
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache
BAD_REQUEST
When the value of action is BAD\_REQUEST, it means that the request from the client application
does not contain an access token (= the request from the authorization server implementation to
Authlete does not contain token parameter).
The value of responseContent is a string which describes the error in the format
of RFC 6750 (OAuth 2.0 Bearer Token Usage) so the
userinfo endpoint implementation can use the value of responseContent as the value ofWWW-Authenticate
header.
The following is an example response which complies with RFC 6750. Note that OpenID Connect Core
1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo
Response for details.
HTTP/1.1 400 Bad Request
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache
UNAUTHORIZED
When the value of action is UNAUTHORIZED, it means that the access token does not exist, has
expired, or is not associated with any subject (= any user account).
The value of responseContent is a string which describes the error in the format of RFC
6750 (OAuth 2.0 Bearer Token Usage) so the userinfo
endpoint implementation can use the value of responseContent as the value ofWWW-Authenticate
header.
The following is an example response which complies with RFC 6750. Note that OpenID Connect Core
1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo
Response for details.
HTTP/1.1 401 Unauthorized
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache
FORBIDDEN
When the value of action is FORBIDDEN, it means that the access token does not include the
openid scope.
The value of responseContent is a string which describes the error in the format of RFC 6750
(OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation can use the value of responseContent
as the value ofWWW-Authenticate header.
The following is an example response which complies with RFC 6750. Note that OpenID Connect Core
1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo
Response for details.
HTTP/1.1 403 Forbidden
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache
OK
When the value of action is OK, it means that the access token which the client application
presented is valid. To be concrete, it means that the access token exists, has not expired, includes
the openid scope, and is associated with a subject (= a user account).
What the userinfo endpoint implementation should do next is to collect information about the subject
(user) from your database. The value of the subject is contained in the subject parameter in the
response from this API and the names of data, i.e., the claims names are contained in the claims
parameter in the response. For example, if the subject parameter is joe123 and the claims
parameter is [ "given\_name", "email" ], you need to extract information about joe123’s given name
and email from your database.
Then, call Authlete’s /auth/userinfo/issue API with the collected information and the access token
in order to make Authlete generate an ID token.
If an error occurred during the above steps, generate an error response to the client. The response
should comply with RFC 6750. For example, if the
subject associated with the access token does not exist in your database any longer, you may feel
like generating a response like below.
HTTP/1.1 400 Bad Request
WWW-Authenticate: Bearer error="invalid\_token",
error\_description="The subject associated with the access token does not exist."
Cache-Control: no-store
Pragma: no-cache
Also, an error might occur on database access. If you treat the error as an internal server error, then the response would be like the following.
HTTP/1.1 500 Internal Server Error
WWW-Authenticate: Bearer error="server\_error",
error\_description="Failed to extract information about the subject from the database."
Cache-Control: no-store
Pragma: no-cache
Authorizations
Click the Get Token button below to log in with your Authlete account and retrieve an access token for API access.
Path Parameters
A service ID.
Body
An access token.
Client certificate used in the TLS connection established between the client application and the userinfo endpoint.
The value of this request parameter is referred to when the access token given to the userinfo endpoint was bound to a client certificate when it was issued. See [OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens] (https://datatracker.ietf.org/doc/rfc8705/) for details about the specification of certificate-bound access tokens.
DPoP header presented by the client during the request to the user info endpoint.
The header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT. See OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) for details.
HTTP method of the user info request. This field is used to validate the DPoP header.
In normal cases, the value is either GET or POST.
URL of the user info endpoint. This field is used to validate the DPoP header.
If this parameter is omitted, the userInfoEndpoint property of the service is used as the default value.
See OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)
for details.
The full URL of the userinfo endpoint.
The HTTP message body of the request, if present.
HTTP headers to be included in processing the signature. If this is a signed request, this must include the Signature and Signature-Input headers, as well as any additional headers covered by the signature.
The target URI of the userinfo request, including the query part, if any.
This parameter is used as the value of the @target-uri derived component for HTTP message signatures
(RFC 9421 HTTP Message Signatures, Section 2.2.2. Target URI).
Additionally, other derived components such as @authority, @scheme, @path, @query and
@query-param are computed from this parameter.
When this parameter is omitted, the value of the htu parameter is used. The htu parameter
represents the URL of the userinfo endpoint, which usually serves as the target URI of the userinfo request.
The only exception is when the access token is specified as a query parameter, as defined in
RFC 6750 Section 2.3. However, RFC 6750
states that this method "SHOULD NOT be used" unless other methods are not viable.
If neither this targetUri parameter nor the htu parameter is specified, the userInfoEndpoint
property of the service is used as a fallback.
The flag indicating whether to check if the DPoP proof JWT includes the expected nonce value.
If this request parameter is set to true or if the service's dpopNonceRequired property is
set to true, the /auth/userinfo API checks if the DPoP proof JWT includes the expected nonce
value. In this case, the response from the /auth/userinfo API will include the dpopNonce response
parameter, which should be used as the value of the DPoP-Nonce HTTP header.
The flag indicating whether the userinfo request contains a request body.
When the userinfo request must comply with the HTTP message signing requirements defined in the
FAPI 2.0 Message Signing specification, the "content-digest" component identifier must be included
in the signature base of the HTTP message signature (see RFC 9421 HTTP Message Signatures)
if the userinfo request contains a request body.
When this requestBodyContained parameter is set to true, Authlete checks whether "content-digest"
is included in the signature base, if the FAPI profile applies to the userinfo request.
NOTE: The FAPI 2.0 Message Signing specification is not applied to the userinfo endpoint until its necessity is agreed upon by the industry (cf. FAPI Issue 723).
Response
The code which represents the result of the API call.
A short message which explains the result of the API call.
The next action that the authorization server implementation should take.
INTERNAL_SERVER_ERROR, INVALID_CLIENT, BAD_REQUEST, PASSWORD, OK, TOKEN_EXCHANGE, JWT_BEARER The content that the authorization server implementation is to return to the client application.
Its format varies depending on the value of action parameter.
The value of username request parameter in the token request.
The client application must specify username when it uses Resource Owner Password Grant.
In other words, when the value of grant_type request parameter is password, username request parameter must come along.
This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.
The value of password request parameter in the token request.
The client application must specify password when it uses Resource Owner Password Grant.
In other words, when the value of grant_type request parameter is password, password request parameter must come along.
This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.
The ticket which is necessary to call Authlete's /auth/token/fail API or /auth/token/issue API.
This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.
The newly issued access token.
The datetime at which the newly issued access token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).
The duration of the newly issued access token in seconds.
The newly issued refresh token.
The datetime at which the newly issued refresh token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).
The duration of the newly issued refresh token in seconds.
The newly issued ID token. Note that an ID token is issued from a token endpoint only when the response_type request parameter
of the authorization request to an authorization endpoint has contained code and the scope request parameter has contained openid.
The grant type of the token request.
The client ID.
The client ID alias when the token request was made. If the client did not have an alias, this parameter is null.
Also, if the token request was invalid and it failed to identify a client, this parameter is null.
The flag which indicates whether the client ID alias was used when the token request was made.
true if the client ID alias was used when the token request was made.
The subject (= resource owner's ID) of the access token.
Even if an access token has been issued by the call of /api/auth/token API, this parameter is null if the flow of the token request was
Client Credentials Flow (grant_type=client_credentials) because it means the access token
is not associated with any specific end-user.
The scopes covered by the access token.
The extra properties associated with the access token.
This parameter is null when no extra property is associated with the issued access token.
The newly issued access token in JWT format. If the authorization server is configured
to issue JWT-based access tokens (= if the service's accessTokenSignAlg value is a
non-null value), a JWT-based access token is issued along with the original random-string
one.
The resources specified by the resource request parameters in the token request.
See "Resource Indicators for OAuth 2.0" for details.
The target resources of the access token being issued. See "Resource Indicators for OAuth 2.0" for details.
The authorization details. This represents the value of the authorization_details
request parameter in the preceding device authorization request which is defined in
"OAuth 2.0 Rich Authorization Requests".
The attributes of this service that the client application belongs to.
The attributes of the client.
The client authentication method that was performed at the token endpoint.
the value of the grant_id request parameter of the device authorization request.
The grant_id request parameter is defined in
Grant Management for OAuth 2.0
, which is supported by Authlete 2.3 and newer versions.
The audiences on the token exchange request
The grant type of the access token when the access token was created.
urn:ietf:params:oauth:token-type:jwt, urn:ietf:params:oauth:token-type:access_token, urn:ietf:params:oauth:token-type:refresh_token, urn:ietf:params:oauth:token-type:id_token, urn:ietf:params:oauth:token-type:saml1, urn:ietf:params:oauth:token-type:saml2, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER The grant type of the access token when the access token was created.
urn:ietf:params:oauth:token-type:jwt, urn:ietf:params:oauth:token-type:access_token, urn:ietf:params:oauth:token-type:refresh_token, urn:ietf:params:oauth:token-type:id_token, urn:ietf:params:oauth:token-type:saml1, urn:ietf:params:oauth:token-type:saml2, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER The grant type of the access token when the access token was created.
urn:ietf:params:oauth:token-type:jwt, urn:ietf:params:oauth:token-type:access_token, urn:ietf:params:oauth:token-type:refresh_token, urn:ietf:params:oauth:token-type:id_token, urn:ietf:params:oauth:token-type:saml1, urn:ietf:params:oauth:token-type:saml2, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER For RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
Indicate whether the previous refresh token that had been kept in the database for a short time was used
The entity ID of the client.
Flag which indicates whether the entity ID of the client was used when the request for the access token was made.
Duration of the c_nonce in seconds.
Get the expected nonce value for DPoP proof JWT, which should be used
as the value of the DPoP-Nonce HTTP header.
Get the c_nonce.
Get the time at which the c_nonce expires in milliseconds since
the Unix epoch (1970-01-01).
Get the names of the claims that the authorization request (which resulted in generation of the access token) requested to be embedded in ID tokens.
Scopes associated with the refresh token.
The session ID, which is the ID of the user's authentication session, associated with a newly created access token.
If the response from the /auth/token API contains the deviceSecret parameter, its value should
be used as the value of this deviceSecret request parameter to the /nativesso API. The authorization
server may choose to issue a new device secret; in that case, it is free to generate a new device
secret and specify the new value.
If the response from the /auth/token API does not contain the deviceSecret parameter, or
if its value is invalid, the authorization server must generate a new device secret and specify
it in the deviceSecret parameter to the /nativesso API.
The specified value is used as the value of the device_secret property in the token response.
The authorization server should compute the hash value of the device secret based on its own logic
and specify the computed hash as the value of this deviceSecretHash request parameter to the
/nativesso API.
When the deviceSecretHash parameter is omitted, the implementation of the /nativesso API
generates the device secret hash by computing the SHA-256 hash of the device secret and encoding
it with base64url. Note that this hash computation logic is not a rule defined in the Native SSO
specification; rather, it is Authlete-specific fallback logic used when the deviceSecretHash
parameter is omitted.