Userinfo

POST {{authPath}}/{{envID}}/as/userinfo

The UserInfo Endpoint is an OAuth 2.0 protected resource that returns claims about the authenticated end user. Note that the /{{envID}}/as/userinfo request takes an access token in the Authorization header to get the claims about the user.

You can use the POST /{{envID}}/as/userinfo operation to obtain a userinfo authorization grant.

Userinfo authorization requests

A userinfo authorization request is used with applications associated with the openid resource. The value for the Authorization header is the Bearer token returned by the following authorization request:

https://auth.pingone.com/{{envID}}/as/authorize?client_id={{appID}}&redirect_uri={{redirect_uri}}&response_type=token&scope=openid profile email address

In the authorization request, the scope attribute must specify the openid value, which includes the sub claim (the user ID) in the response data. Additional OpenID Connect scopes such as profile, address, phone and email can also be included to add more user claims to the response.

Grants and scopes with userinfo

The token used with the /{{envID}}/as/userinfo endpoint must be generated by an implicit or authorization_code grant type. PingOne user scopes such as p1:reset:userPassword are not applicable to userinfo authorization requests and applications associated with the openid resource.

Note: Access tokens generated from a client_credentials grant type return an ACCESS_FAILED message when used with the /{{envID}}/as/userinfo endpoint. Tokens from a client_credentials grant use administrator permissions granted through role assignments.

Prerequisites

• See OpenID Connect/OAuth 2 and Token for important overview information.