/oauth2/userinfo

Endpoint that returns claims about the authenticated end user, as defined in OpenID Connect Core 1.0 incorporating errata set 1.

When requesting claims, provide an access token granted in an OpenID Connect flow as an authorization bearer header. The endpoint will return the claims associated with the scopes granted when the access token was requested.

You must compose the path to the user information endpoint addressing the specific realm where AM logged in the user. For example, https://openam.example.com:8443/openam/oauth2/realms/root/realms/subrealm1/userinfo.

The following example shows AM returning claims about a user:

$ curl \
--request GET \
--header "Authorization: Bearer U-Wjlv-w1jtpuBVWUGFV6PwI_nE" \
"https://openam.example.com:8443/openam/oauth2/realms/root/userinfo"
{
    "given_name":"Demo First Name",
    "family_name":"Demo Last Name",
    "name":"demo",
    "sub":"demo"
}

If the access token validates successfully, the endpoint returns the claims as JSON.

The user information endpoint can return claims as JSON (the default) or as a signed, encrypted, or signed and encrypted JWT. To configure the response type, perform the following steps:

  1. Go to Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client Name > Signing and Encryption.

  2. In the User info response format drop-down menu, select the type of response required by the client.

  3. Configure the signing and/or encryption algorithms AM should use when returning claims to this particular client in the following properties:

    • User info signed response algorithm

    • User info encrypted response algorithm

    • User info encrypted response encryption algorithm

    For more information about these properties, see Signing and Encryption Properties.

    Note that you can configure the algorithms the OAuth 2.0/OpenID Connect provider service supports by navigating to > Realm Name > Services > OAuth2 Provider > Advanced OpenID Connect.

    For more information about the secret IDs mapped to the OAuth 2.0/OpenID Connect provider signing and encrypting algorithms, see "Secret ID Default Mappings".

Read a different version of :