/oauth2/userinfo

Endpoint that returns claims about the authenticated end user, as defined in OpenID Connect Core 1.0 incorporating errata set 1.

When requesting claims, provide an access token granted in an OpenID Connect flow as an authorization bearer header. The endpoint will return the claims associated with the scopes granted when the access token was requested.

You must compose the path to the user information endpoint addressing the specific realm where AM logged in the user. For example, https://tenant-name.forgeblocks.com/am/oauth2/realms/root/realms/alpha/userinfo.

The following example shows AM returning claims about a user:

$ curl \
--request GET \
--header "Authorization: Bearer U-Wjlv-w1jtpuBVWUGFV6PwI_nE" \
"https://tenant-name.forgeblocks.com/am/oauth2/realms/root/realms/alpha/userinfo"
{
    "given_name":"Demo First Name",
    "family_name":"Demo Last Name",
    "name":"demo",
    "sub":"(usr!demo)",
    "subname":"id=demo,ou=user,o=root,ou=services,dc=openam,dc=forgerock,dc=org"
}

If the access token validates successfully, the endpoint returns the claims as JSON.

About the Subject and the Subname Claims

The subject claim is in the format (type!subject), where:

  • subject is the identifier of the user/identity, or the name of the OAuth 2.0/OpenID Connect client that is the subject of the token.

  • type can be one of the following:

    • age. Specifies that the subject is an OAuth 2.0/OpenID Connect-related user-agent or client. For example, an OAuth 2.0 client, a Remote Consent Service agent, and a Web and Java Agent internal client.

    • usr. Specifies that the subject is a user/identity.

For example, (usr!demo), or (age!myOAuth2Client).

The value of the subname claim matches the value of the subject portion of the sub claim.

The user information endpoint can return claims as JSON (the default) or as a signed, encrypted, or signed and encrypted JWT. To configure the response type, perform the following steps:

  1. In the AM Admin UI, go to Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client Name > Signing and Encryption.

  2. In the User info response format drop-down menu, select the type of response required by the client.

  3. Configure the signing and/or encryption algorithms AM should use when returning claims to this particular client in the following properties:

    • User info signed response algorithm

    • User info encrypted response algorithm

    • User info encrypted response encryption algorithm

    For more information about these properties, see Signing and Encryption Properties.

    Note that you can configure the algorithms the OAuth 2.0/OpenID Connect provider service supports by navigating to > Realm Name > Services > OAuth2 Provider > Advanced OpenID Connect.

    For more information about the secret IDs mapped to the OAuth 2.0/OpenID Connect provider signing and encrypting algorithms, see Secret ID Default Mappings.

Signed, and signed and encrypted JWT responses will include the iss and the aud objects.