Overview #
UserInfo Response is returned from the
Userinfo_endpoint to the
OpenID Connect Relying Party (
OAuth Client) as the
response to the
UserInfo Request.* The UserInfo Claims
MUST be returned as the members of a
JSON Object.
Due to the possibility of
token substitution attacks, the UserInfo Response is not guaranteed to be about the End-User identified by the
sub (subject) element of the
Id_token. The
sub Claim in the UserInfo Response
MUST be verified to exactly match the
sub Claim in the
Id_token; if they do not match, the UserInfo Response values
MUST NOT be used.
The OpenID Connect Relying Party MUST verify that the OpenID Connect Provider that responded was the intended OpenID Connect Provider through a TLS server certificate check, per RFC 6125.
Relying Party MUST perform OAuth Scope Validation to insure the scopes in the UserInfo Request were provided.
There might be more information for this subject on one of the following: