The UserInfo Claims MUST be returned as the members of a JSON Object. The response body SHOULD be encoded using UTF-8. The OpenID Connect Standard Claims can be returned, as can additional Claims not specified.
UserInfo Response Validation#Due to the possibility of token substitution attacks, the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the Id_token. The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the Id_token; if they do not match, the UserInfo Response values MUST NOT be used.
More Information #There might be more information for this subject on one of the following:
- Authorization Code Flow
- Default Profile Claims
- OAuth Scope Validation
- OpenID Connect Standard Claims
- [#1] - OpenID Connect Basic Client Implementer's Guide 1.0 - based on data observed:2016-05-18