UserInfo Endpoint

The ActivID Appliance server exposes a userInfo endpoint, conforming to the OpenID Connect Core specification – section 5.3, that allows clients to obtain information about the authenticated end user, packaged in a JSON object containing a set of key-value pairs. For example:

Copy
{
    "sub": "spl-api",
    "groupids": ["USG_SYS"],
    "roles": ["RL_SYSTEM"],        
    "preferred_username": "spl-api"
}

Typically, this object is packaged in a JWT signed by the Identity Provider’s signature key (that is advertised in the JWKS endpoint) with RS256 algorithm.

It can also be delivered as an unsigned JWT. For further information, see Configuring Support for OpenID Connect Request Objects.

Copy

The endpoint is exposed at the following URL (and can be obtained from the server discovery endpoint):

https://[base-server-url]/{tenant}/authn/userinfo [POST]/[GET]

UserInfo Request

As required by the OpenID Connect Core specification, clients must present a valid access token (of type bearer) to retrieve the UserInfo claims.

Note: The claims presented to the client will depend on the scope associated with the access token (see Configuring Custom Scopes for a Client).

Example of a request to get the claims for an authenticated user:

Copy

Sample request to get the claims for an authenticated user

GET https://[base-server-url]/{tenant}/authn/userinfo HTTP/1.1
Authorization: Bearer pxMC9gAAAW3Ka6Wtg4hKCU+KWil414l7vKQjtXDd

UserInfo Response

Example of a response returning the requested claims in a signed JWT (depending on the configuration, this could be signed and encrypted, see Configuring Support for OpenID Connect Request Objects), which can be verified with the server’s public RSA signature key.

If encrypted, it can only be decrypted with the client’s encryption key:

Copy
HTTP/1.1 200 OK
Content-Type: application/jwt; charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
 
eyJraWQiOiIxNTI5MDcwMDQ5ODI0IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJzcGwtYXBpIiwiZ3JvdXBpZHMiOlsiVVNHX1NZUyJdLCJyb2xlcyI6WyJSTF9TWVNURU0iXSwicHJlZmVycmVkX3VzZXJuYW1lIjoic3BsLWFwaSJ9.iGkJ2ziR8KiBu9Lwmo2GDJs7a9-4GWVdCt0KBBaXeCU70fHv5sr9UgoBkzaeWqjiHHC0o02_bhZV62561Kfz47PTYbsq9UvOiHoBeyLke1pNCzx92vH1c7vOjlDeVcY_lHQ22cCC1eN946SngYiejSIYFGfmgxZFvI4A2SamIj1k6ZAXBaw2B5qiq1oxQTRSvrrfXT3kkqOB_sIwCI-SuSJR5BzpaB4EIwIO33erptVZWQG3VbJ8go6qxe8linUljYrVqWWQvp8nh1eliSdcHY55rO3zV_dlzyKPaYlm0tnOTHSrtGNCmsu7e85KMEmgP9A1wxvxIehjkuMH0n5hwA

Error Responses

Code Label Possible Errors
401 UNAUTHORIZED invalid_token - Access Token expired
403 FORBIDDEN insufficient_scope
500 INTERNAL SERVER ERROR server_error