Skip to main content
POST
/
api
/
{serviceId}
/
auth
/
userinfo
Typescript (SDK)
import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.userinfo.process({
    serviceId: "<id>",
    userinfoRequest: {
      token: "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI",
    },
  });

  console.log(result);
}

run();
{
  "resultCode": "A091001",
  "resultMessage": "[A091001] The access token presented at the userinfo endpoint is valid.",
  "action": "OK",
  "clientId": "15518267821",
  "clientIdAliasUsed": false,
  "scopes": [
    "openid"
  ],
  "subject": "john",
  "token": "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI"
}
This API is supposed to be called from within the implementation of the userinfo endpoint of the authorization server in order to get information about the user that is associated with an access token. The response from /auth/userinfo API has various parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the service implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete. In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of “500 Internal Server Error”. The value of responseContent is a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation can use the value of responseContent as the value ofWWW-Authenticate header. The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.
HTTP/1.1 500 Internal Server Error
WWW-Authenticate: &#123;responseContent&#125;
Cache-Control: no-store
Pragma: no-cache

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the request from the client application does not contain an access token (= the request from the authorization server implementation to Authlete does not contain token parameter). The value of responseContent is a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation can use the value of responseContent as the value ofWWW-Authenticate header. The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.
HTTP/1.1 400 Bad Request
WWW-Authenticate: &#123;responseContent&#125;
Cache-Control: no-store
Pragma: no-cache

UNAUTHORIZED

When the value of action is UNAUTHORIZED, it means that the access token does not exist, has expired, or is not associated with any subject (= any user account). The value of responseContent is a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation can use the value of responseContent as the value ofWWW-Authenticate header. The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.
HTTP/1.1 401 Unauthorized
WWW-Authenticate: &#123;responseContent&#125;
Cache-Control: no-store
Pragma: no-cache

FORBIDDEN

When the value of action is FORBIDDEN, it means that the access token does not include the openid scope. The value of responseContent is a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation can use the value of responseContent as the value ofWWW-Authenticate header. The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.
HTTP/1.1 403 Forbidden
WWW-Authenticate: &#123;responseContent&#125;
Cache-Control: no-store
Pragma: no-cache

OK

When the value of action is OK, it means that the access token which the client application presented is valid. To be concrete, it means that the access token exists, has not expired, includes the openid scope, and is associated with a subject (= a user account). What the userinfo endpoint implementation should do next is to collect information about the subject (user) from your database. The value of the subject is contained in the subject parameter in the response from this API and the names of data, i.e., the claims names are contained in the claims parameter in the response. For example, if the subject parameter is joe123 and the claims parameter is [ "given_name", "email" ], you need to extract information about joe123’s given name and email from your database. Then, call Authlete’s /auth/userinfo/issue API with the collected information and the access token in order to make Authlete generate an ID token. If an error occurred during the above steps, generate an error response to the client. The response should comply with RFC 6750. For example, if the subject associated with the access token does not exist in your database any longer, you may feel like generating a response like below.
HTTP/1.1 400 Bad Request
WWW-Authenticate: Bearer error="invalid_token",
error_description="The subject associated with the access token does not exist."
Cache-Control: no-store
Pragma: no-cache
Also, an error might occur on database access. If you treat the error as an internal server error, then the response would be like the following.
HTTP/1.1 500 Internal Server Error
WWW-Authenticate: Bearer error="server_error",
error_description="Failed to extract information about the subject from the database."
Cache-Control: no-store
Pragma: no-cache

Authorizations

Authorization
string
header
required

Authenticate every request with a Service Access Token or Organization Token. Set the token value in the Authorization: Bearer <token> header.

Service Access Token: Scoped to a single service. Use when automating service-level configuration or runtime flows.

Organization Token: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.

Both token types are issued by the Authlete console or provisioning APIs.

Path Parameters

serviceId
string
required

A service ID.

Body

token
string
required

An access token.

clientCertificate
string

Client certificate used in the TLS connection established between the client application and the userinfo endpoint.

The value of this request parameter is referred to when the access token given to the userinfo endpoint was bound to a client certificate when it was issued. See [OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens] (https://datatracker.ietf.org/doc/rfc8705/) for details about the specification of certificate-bound access tokens.

dpop
string

DPoP header presented by the client during the request to the user info endpoint.

The header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT. See OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) for details.

htm
string

HTTP method of the user info request. This field is used to validate the DPoP header. In normal cases, the value is either GET or POST.

htu
string

URL of the user info endpoint. This field is used to validate the DPoP header.

If this parameter is omitted, the userInfoEndpoint property of the service is used as the default value. See OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) for details.

uri
string

The full URL of the userinfo endpoint.

message
string

The HTTP message body of the request, if present.

headers
object[]

HTTP headers to be included in processing the signature. If this is a signed request, this must include the Signature and Signature-Input headers, as well as any additional headers covered by the signature.

targetUri
string

The target URI of the userinfo request, including the query part, if any.

dpopNonceRequired
boolean

The flag indicating whether to check if the DPoP proof JWT includes the expected nonce value.

If this request parameter is set to true or if the service's dpopNonceRequired property is set to true, the /auth/userinfo API checks if the DPoP proof JWT includes the expected nonce value. In this case, the response from the /auth/userinfo API will include the dpopNonce response parameter, which should be used as the value of the DPoP-Nonce HTTP header.

requestBodyContained
boolean

The flag indicating whether the userinfo request contains a request body.

Response

User info retrieved successfully

resultCode
string

The code which represents the result of the API call.

resultMessage
string

A short message which explains the result of the API call.

action
enum<string>

The next action that the authorization server implementation should take.

Available options:
INTERNAL_SERVER_ERROR,
BAD_REQUEST,
UNAUTHORIZED,
FORBIDDEN,
OK
claims
string[]

The list of claims that the client application requests to be embedded in the ID token.

clientId
integer<int64>

The ID of the client application which is associated with the access token.

clientIdAlias
string

The client ID alias when the authorization request for the access token was made.

clientIdAliasUsed
boolean

The flag which indicates whether the client ID alias was used when the authorization request for the access token was made.

responseContent
string

The content that the authorization server implementation can use as the value of WWW-Authenticate header on errors.

scopes
string[]

The scopes covered by the access token.

subject
string

The subject (= resource owner's ID).

token
string

The access token that came along with the userinfo request.

properties
object[]

The extra properties associated with the access token.

userInfoClaims
string

The value of the userinfo property in the claims request parameter or in the claims property in an authorization request object.

serviceAttributes
object[]

The attributes of this service that the client application belongs to.

clientAttributes
object[]

The attributes of the client.

consentedClaims
string[]

the claims that the user has consented for the client application to know.

requestedClaimsForTx
string[]

Get names of claims that are requested indirectly by "transformed claims". A client application can request "transformed claims" by adding names of transformed claims in the claims request parameter. The following is an example of the claims request parameter that requests a predefined transformed claim named 18_or_over and a transformed claim named nationality_usa to be embedded in the response from the userinfo endpoint.

&#123;
"transformed_claims": &#123;
"nationality_usa": &#123;
"claim": "nationalities",
"fn": [
[ "eq", "USA" ],
"any"
]
&#125;
&#125;,
"userinfo": &#123;
"::18_or_over": null,
":nationality_usa": null
&#125;
&#125;

The example above assumes that a transformed claim named 18_or_over is predefined by the authorization server like below.

&#123;
"18_or_over": &#123;
"claim": "birthdate",
"fn": [
"years_ago",
[ "gte", 18 ]
]
&#125;
&#125;

In the example, the nationalities claim is requested indirectly by the nationality_usa transformed claim. Likewise, the birthdate claim is requested indirectly by the 18_or_over transformed claim. When the claims request parameter of an authorization request is like the example above, this requestedClaimsForTx property will hold the following value.

[ "birthdate", "nationalities" ]

It is expected that the authorization server implementation prepares values of the listed claims and passes them as the value of the claimsForTx request parameter when it calls the /api/auth/userinfo/issue API. The following is an example of the value of the claimsForTx request parameter.

&#123;
"birthdate": "1970-01-23",
"nationalities": [ "DEU", "USA" ]
&#125;
requestedVerifiedClaimsForTx
string[][]

Names of verified claims that will be referenced when transformed claims are computed.

transformedClaims
string

the value of the transformed_claims property in the claims request parameter of an authorization request or in the claims property in a request object.

clientEntityId
string

The entity ID of the client.

clientEntityIdUsed
boolean

Flag which indicates whether the entity ID of the client was used when the request for the access token was made.

dpopNonce
string

The expected nonce value for DPoP proof JWT, which should be used as the value of the DPoP-Nonce HTTP header.

metadataDocumentLocation
string<uri>

The location of the client's metadata document that was used to resolve client metadata.

This property is set when client metadata was retrieved via the OAuth Client ID Metadata Document (CIMD) mechanism.

metadataDocumentUsed
boolean

Flag indicating whether a metadata document was used to resolve client metadata for this request.

When true, the client metadata was retrieved via the CIMD mechanism rather than from the Authlete database.