/oauth2/userinfo
Endpoint that returns claims about the authenticated end user, as defined in OpenID Connect Core 1.0 incorporating errata set 1.
When requesting claims, provide an access token granted in an OpenID Connect flow as an authorization bearer header. The endpoint will return the claims associated with the scopes granted when the access token was requested.
You must compose the path to the user information endpoint addressing the specific realm where AM logged in the user. For example, https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/userinfo
.
The following example shows AM returning claims about a user:
$curl \ --request GET \ --header "Authorization: Bearer U-Wjlv-w1jtpuBVWUGFV6PwI_nE" \ "https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/userinfo"
{ "given_name":"Demo First Name", "family_name":"Demo Last Name", "name":"demo", "sub":"(usr!demo)", "subname":"id=demo,ou=user,o=root,ou=services,dc=openam,dc=forgerock,dc=org" }
If the access token validates successfully, the endpoint returns the claims as JSON.
The subject claim is in the format (type!subject)
, where:
subject
is the identifier of the user/identity, or the name of the OAuth 2.0/OpenID Connect client that is the subject of the token.type
can be one of the following:age
. Specifies that the subject is an OAuth 2.0/OpenID Connect-related user-agent or client. For example, an OAuth 2.0 client, a Remote Consent Service agent, and a Web and Java Agent internal client.usr
. Specifies that the subject is a user/identity.
For example, (usr!demo)
, or (age!myOAuth2Client)
.
The value of the subname
claim matches the value of the subject portion of the sub
claim.
The user information endpoint can return claims as JSON (the default) or as a signed, encrypted, or signed and encrypted JWT. To configure the response type, perform the following steps:
In the AM console, go to Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client Name > Signing and Encryption.
In the User info response format drop-down menu, select the type of response required by the client.
Configure the signing and/or encryption algorithms AM should use when returning claims to this particular client in the following properties:
User info signed response algorithm
User info encrypted response algorithm
User info encrypted response encryption algorithm
For more information about these properties, see Signing and Encryption Properties.
Note that you can configure the algorithms the OAuth 2.0/OpenID Connect provider service supports by navigating to > Realm Name > Services > OAuth2 Provider > Advanced OpenID Connect.
For more information about the secret IDs mapped to the OAuth 2.0/OpenID Connect provider signing and encrypting algorithms, see "Secret ID Default Mappings".
Signed, and signed and encrypted JWT responses will include the iss
and the aud
objects.