UserInfo Endpoint

The HID Authentication Service server exposes a userInfo endpoint, conforming to the OpenID Connect Core specification – section 5.3, that allows clients to obtain information about the authenticated end user, packaged in a JSON object containing a set of key-value pairs.

Copy

Example of a JSON object:

{
	"sub": "spl-api",
	"groupids": ["UG_CLIENTID"],
	"roles": ["RL_SYSTEM"],        
	"preferred_username": "spl-api"
}

Typically, this object is packaged in a JWT signed by the Identity Provider’s signature key (that is advertised in the JWKS endpoint) with RS256 algorithm.

It can also be delivered as an unsigned JWT or in the plain JSON format.

Copy

The endpoint is exposed at the following URL (and can be obtained from the server discovery endpoint):

https://[base-server-url]/{tenant}/authn/userinfo [POST]/[GET]
Method Details
POST
GET

UserInfo Request

As required by the OpenID Connect Core specification, clients must present a valid access token (of type bearer) to retrieve the UserInfo claims.

Note: The claims presented to the client will depend on the scope associated with the access token (see Using OpenID Scopes).
Copy

Sample request to get the claims for an authenticated user

GET https://[base-server-url]/{tenant}/authn/userinfo HTTP/1.1
Authorization: Bearer pxMC9gAAAW3Ka6Wtg4hKCU+KWil414l7vKQjtXDd

UserInfo Response

Example of a response returning the requested claims in a signed JWT (depending on the configuration, this could be signed and encrypted, which can be verified with the server’s public RSA signature key.

If encrypted, it can only be decrypted with the client’s encryption key.

Copy

Sample response of a JWT

HTTP/1.1 200 OK
Content-Type: application/jwt; charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
 
eyJraWQiOiIxNTI5MDcwMDQ5ODI0IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJzcGwtYXBpIiwiZ3JvdXBpZHMiOlsiVVNHX1NZUyJdLCJyb2xlcyI6WyJSTF9TWVNURU0iXSwicHJlZmVycmVkX3VzZXJuYW1lIjoic
3BsLWFwaSJ9.iGkJ2ziR8KiBu9Lwmo2GDJs7a9-4GWVdCt0KBBaXeCU70fHv5sr9UgoBkzaeWqjiHHC0o02_bhZV62561Kfz47PTYbsq9UvOiHoBeyLke1pNCzx92vH1c7vOjlDeVcY_lHQ22cCC1eN946SngYiejS
IYFGfmgxZFvI4A2SamIj1k6ZAXBaw2B5qiq1oxQTRSvrrfXT3kkqOB_sIwCI-SuSJR5BzpaB4EIwIO33erptVZWQG3VbJ8go6qxe8linUljYrVqWWQvp8nh1eliSdcHY55rO3zV_dlzyKPaYlm0tnOTHSrtGNCmsu7
e85KMEmgP9A1wxvxIehjkuMH0n5hwA

Error Responses

Code Label Possible Errors
401 UNAUTHORIZED invalid_token - Access Token expired
403 FORBIDDEN insufficient_scope
500 INTERNAL SERVER ERROR server_error