UserInfo Response

Overview [1]#

UserInfo Response is returned from the Userinfo_endpoint to the OpenID Connect Relying Party (OAuth Client) as the response to the UserInfo Request.

UserInfo Response Validation#

Due to the possibility of token substitution attacks, the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the Id_token. The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the Id_token; if they do not match, the UserInfo Response values MUST NOT be used.

The OpenID Connect Relying Party MUST verify that the OpenID Connect Provider that responded was the intended OpenID Connect Provider through a TLS server certificate check, per RFC 6125.

Relying Party MUST perform OAuth Scope Validation to insure the scopes in the UserInfo Request were provided.

More Information #

There might be more information for this subject on one of the following: