UserInfo Response is returned from the Userinfo_endpoint
to the OpenID Connect Relying Party
) as the response
to the UserInfo Request
Due to the possibility of token substitution attacks
, the UserInfo Response is not guaranteed to be about the End-User identified by the sub
(subject) element of the Id_token
. The sub
Claim in the UserInfo Response MUST
be verified to exactly match the sub
Claim in the Id_token
; if they do not match, the UserInfo Response values MUST NOT
The OpenID Connect Relying Party MUST verify that the OpenID Connect Provider that responded was the intended OpenID Connect Provider through a TLS server certificate check, per RFC 6125.
Relying Party MUST perform OAuth Scope Validation to insure the scopes in the UserInfo Request were provided.
More Information #
There might be more information for this subject on one of the following: