UserInfo Endpoint
The ActivID Appliance server exposes a userInfo endpoint, conforming to the OpenID Connect Core specification – section 5.3, that allows clients to obtain information about the authenticated end user, packaged in a JSON object containing a set of key-value pairs. For example:
{
"sub": "spl-api",
"groupids": ["USG_SYS"],
"roles": ["RL_SYSTEM"],
"preferred_username": "spl-api"
}
Typically, this object is packaged in a JWT signed by the Identity Provider’s signature key (that is advertised in the JWKS endpoint) with RS256 algorithm.
It can also be delivered as an unsigned JWT.
The endpoint is exposed at the following URL (and can be obtained from the server discovery endpoint):
https://[base-server-url]/{tenant}/authn/userinfo [POST]/[GET]
UserInfo Request
As required by the OpenID Connect Core specification, clients must present a valid access token (of type bearer) to retrieve the UserInfo claims.
Example of a request to get the claims for an authenticated user:
Sample request to get the claims for an authenticated user
GET https://[base-server-url]/{tenant}/authn/userinfo HTTP/1.1
Authorization: Bearer pxMC9gAAAW3Ka6Wtg4hKCU+KWil414l7vKQjtXDd
UserInfo Response
Example of a response returning the requested claims in a signed JWT (depending on the configuration, this could be signed and encrypted,
If encrypted, it can only be decrypted with the client’s encryption key:
HTTP/1.1 200 OK
Content-Type: application/jwt; charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
eyJraWQiOiIxNTI5MDcwMDQ5ODI0IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJzcGwtYXBpIiwiZ3JvdXBpZHMiOlsiVVNHX1NZUyJdLCJyb2xlcyI6WyJSTF9TWVNURU0iXSwicHJlZmVycmVkX3VzZXJuYW1lIjoic3BsLWFwaSJ9.iGkJ2ziR8KiBu9Lwmo2GDJs7a9-4GWVdCt0KBBaXeCU70fHv5sr9UgoBkzaeWqjiHHC0o02_bhZV62561Kfz47PTYbsq9UvOiHoBeyLke1pNCzx92vH1c7vOjlDeVcY_lHQ22cCC1eN946SngYiejSIYFGfmgxZFvI4A2SamIj1k6ZAXBaw2B5qiq1oxQTRSvrrfXT3kkqOB_sIwCI-SuSJR5BzpaB4EIwIO33erptVZWQG3VbJ8go6qxe8linUljYrVqWWQvp8nh1eliSdcHY55rO3zV_dlzyKPaYlm0tnOTHSrtGNCmsu7e85KMEmgP9A1wxvxIehjkuMH0n5hwA
Error Responses
Code | Label | Possible Errors |
---|---|---|
401 | UNAUTHORIZED | invalid_token - Access Token expired |
403 | FORBIDDEN | insufficient_scope |
500 | INTERNAL SERVER ERROR | server_error |