Userinfo is a standard endpoint associated with the Resource Server for the TINFO service. It constitutes a Protected Endpoint and requires a Default Bearer Access Token contain in the Authorization header of the request. Userinfo provides additional claims about an authenticated user beyond the claims that are directly contain in the ID Token. 

Due to the possibility of token substitution attacks, the UserInfo Response is not guaranteed to be about the enduser identified by the sub (subject) element of the ID Token. The sub Claim in the UserInfo Response must be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used.

The response from Userinfo is signed and should be validated accordingly.

Example

The following example shows a request / response pair for the Userinfo endpoint. The example is generated from Postman (which is configured as a client at the OIDC Provider). The value for the access token in the authorization header (Authorization: Bearer 4497db915b5b479191c81a7854a2fa8) is taken from the corresponding example for the Token endpoint. 

GET /oidc/oauth/userinfo HTTP/1.1
cache-control: no-cache
Postman-Token: 928f68f1-a0fe-43d9-9019-ee7b4d7aaa43
Authorization: Bearer 4497db915b5b479191c81a7854a2fa8
User-Agent: PostmanRuntime/3.0.11-hotfix.2
Accept: */*
Host: preprod.bankidapis.no
Connection: close
 
HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
Server: Microsoft-IIS/8.5
X-Powered-By: ARR/3.0
X-Powered-By: ASP.NET
Date: Thu, 25 May 2017 11:28:05 GMT
Connection: close
Content-Length: 253

{
    "birthdate": "1966-12-18",
    "exp": 1495714163,
    "family_name": "Nilsen",
    "given_name": "Frode Beckmann",
    "iat": 1495710576,
    "iss": "https://preprod.bankidapis.no",
    "name": "Frode Beckmann Nilsen",
    "preferred_username": "Frode Beckmann Nilsen",
    "sub": "9578-6000-4-30799"
}