UserInfo Response

Overview [1]#

UserInfo Response is returned from the Userinfo_endpoint to the OpenID Connect Relying Party (OAuth Client).

The UserInfo Claims MUST be returned as the members of a JSON Object. The response body SHOULD be encoded using UTF-8. The OpenID Connect Standard Claims can be returned, as can additional Claims not specified.

If a Claim is not returned, that Claim Name SHOULD be omitted from the JSON Object representing the Claims; A Claim value SHOULD NOT be present with a null or empty string value.

The sub (subject) Claim MUST always be returned in the UserInfo Response.

UserInfo Response Validation#

Due to the possibility of token substitution attacks, the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the Id_token. The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the Id_token; if they do not match, the UserInfo Response values MUST NOT be used.

The OpenID Connect Relying Party MUST verify that the OpenID Connect Provider that responded was the intended OpenID Connect Provider through a TLS server certificate check, per RFC 6125.

Relying Party MUST perform OAuth Scope Validation to insure the scopes in the UserInfo Request were provided.

More Information #

There might be more information for this subject on one of the following: