Identity Server exposes an endpoint to which the clients and resource servers can query for users’ claims associated with an access token. This service is implemented in UserInfo Endpoint.
The clients or resource servers can invoke the request to the UserInfo endpoint by including the access token in the authorization header as follows:
Authorization: Bearer access_token
The UserInfo endpoint returns the claims associated with the access token in a JSON object as given in the response values.
Parameter |
Description |
---|---|
sub |
Unique ID identifying the subject. This is GUID of the user. |
The other claims are included as values in the JSON object if the access token contains the necessary scope and the user has authorized the client to access the claim.
For example, if the client has requested the email scope, the UserInfo endpoint returns a value "email" : "alice@c.com" along with the "sub" field.
Sample Request and Response
Request
GET /nidp/oauth/nam/userinfo HTTP/1.1 User-Agent: curl/7.41.0 Host: www.idp.com:8443 Accept: / Authorization: Bearer /wEBAA.............DSDG
Response:
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/json Content-Length: 73 Date: Thu, 19 Mar 2015 16:14:52 GMT { "sub": "6adb7ca411d5a14c94946adb7ca411d5", "email": "alice@a.com" }