AM 7.5.0


The /oauth2/userinfo endpoint is the OpenID Connect (OIDC) UserInfo endpoint.

Use this endpoint to request claims about the authenticated end user.

Specify the realm in the request URL; for example:

To access the endpoint, use an access token from an OIDC grant flow as the bearer token. The endpoint returns claims based on the scopes granted for the access token as in the following example:

$ curl \
--request GET \
--header "Authorization: Bearer <access-token>" \
  "name": "Babs Jensen",
  "family_name": "Jensen",
  "given_name": "Babs",
  "sub": "a0325ea4-9d9b-4056-931b-ab64704cc3da",
  "subname": "a0325ea4-9d9b-4056-931b-ab64704cc3da"

Subject claims

The subject claim is in the format (type!subject), where:

  • subject is the identifier of the user/identity, or the name of the OAuth 2.0/OpenID Connect client that is the subject of the token.

  • type can be one of the following:

    • age. Specifies that the subject is an OAuth 2.0/OpenID Connect-related user-agent or client. For example, an OAuth 2.0 client, a Remote Consent Service agent, and a Web and Java Agent internal client.

    • usr. Specifies that the subject is a user/identity.

For example, (usr!demo), or (age!myOAuth2Client).

The value of the subname claim matches the value of the subject portion of the sub claim.

Response signing and encryption

The default response is a plain JSON object.

AM also supports responding with a signed JSON Web Token (JWT) or signed and encrypted JWT. JWT responses include the aud and iss claims.

To enable signing and encryption, follow these steps:

  1. In the AM admin UI, go to Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID > Signing and Encryption and select the response type in the User info response format drop-down list.

  2. If necessary, configure the signing and encryption properties:

    User info signed response algorithm
    User info encrypted response algorithm
    User info encrypted response encryption algorithm

  3. Save your work.

  4. To restrict the possible settings for the clients in the realm, edit the settings under Realms > Realm Name > Services > OAuth2 Provider > Advanced OpenID Connect.

  5. Save your work.

For details, refer to the OAuth 2.0 provider reference documentation for advanced OIDC settings and to Secret label default mappings.

Copyright © 2010-2024 ForgeRock, all rights reserved.