Alias

UserInfoAccess

Description

Provides identity information and the authentication process of a user associated to an OAuth 2.0 authorization code grant authorization. An application normally invokes this operation when OAuth 2.0 is used for authenticating the user. It doesn't normally need to be invoked when OAuth 2.0 is used only for authorization.

Request

The application sends the following GET request using TLS:

GET /trustedx-resources/openid/v1/users/me

Authorization

The request must contain an Authorization header with an OAuth access token obtained via authorization code grant, i.e., with the approval by the user whose information is sought. A token obtained via a client credentials grant flow cannot be used as this type of token is not associated to a particular user.

See Authorization for Using APIs for more details.

Example

GET /trustedx-resources/openid/v1/users/me
Host: trustedx.demo.com:8082
Authorization: Bearer a2b4...6daf

Response

The response is a JSON data structure that contains identity attributes of the authenticated user and information on the context and the authentication process (in general, claims that the identity provider makes on the authenticated subject). The claims returned depend, in the general case, on the scopes associated to the authorization used to invoke the service (see User Information Scopes).

Status-Line

HTTP/1.1 200 OK

Content-Type Header

Content-Type: application/json;charset=UTF-8

Body

JSON object with the claims.

{ 
   "sub" : {string},
   "domain" : {string},
   "acr" : {string},
   "amr" : {array},
   ...
}

The following claims are always included in the response:

Property	Description
`sub`	Identifier of the user (the value of the `id` attribute obtained by the authentication flow applied).
`domain`	Identifier of the domain in which the user was authenticated.
`acr`	Authentication level or flow with which the user was identified. If the `acr_values` parameter is included in the Authorization Request message (see Obtain Authorization), the application must, usually, verify the value of the `acr` claim to guarantee that the authentication meets the requested requirements. See [RSE_AUTH_INTEG] for more information.
`amr`	Authentication methods that the user passed throughout a session in the IdP. This property is a JSON string array.

Furthermore, the response can include other claims as per the scopes granted by the user (see User Information Scopes):

Property	Description
`{attribute1}{attribute2}...`	Identity attributes of the user. In general, the values of these attributes are strings. If an attribute has multiple values, the format of the corresponding claim is a JSON array with the values of the attribute. Attributes corresponding to claims standardized by OpenID Connect are returned as defined by the standard. If the authentication workflows return these attributes with a value different from specified here (not recommended), the attributes are ignored and are not included in the response. `email_verified`: Boolean `phone_number_verified`: Boolean `updated_at`: numeric Attributes with structured values are not included.
`external_info`	Attributes obtained from an external provider that the user authenticated with in the identity provider. These attributes must be considered as attributes claimed by the external provider. The format of this claim is a JSON object with a field for each external identity domain with which the user was authenticated during the session. The value of each field is another JSON object with the claims obtained from the external provider. The `sub` claim indicates the identifier of the user in the external domain. If this claim is included in the response, normally it only contains information on one external domain, although there could be various if the user reauthenticated with more than one external provider in the session with the identity provider.
`authn_details`	Details on the authentication process and context. The format of this claim is a JSON object whose elements are all strings and that contains, among other elements, the following: `directSso`: The `true` value specifies that direct SSO was applied. The `false` value indicates that an initial authentication or a total or partial reauthentication was performed on the user. `authnLevel`: Identifier (URN) of the authentication level reached. `authnFlow`: Identifier (URN) of the authentication flow used to authenticate or re-authenticate the user. If direct SSO was applied (the value of `directSso` is `true`), this element indicates the flow applied in the last authentication or reauthentication of the user during the session.
`sign_identities`	Information on the identities of the user's electronic signature.

Example

HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
 
{ 
    "sub" : "john.doe",
    "domain" : "example.com",
    "username" : "john.doe",
    "email" : "john.doe@example.com",
    "email_verified" : true,
    "phone_number" : "00123456789",
    "distinguished_name" : "CN=john.doe, O=Example",
    "name" : "John Doe",
    "groups" : [ "Marketing", "Sales" ],
    "acr" : "urn:safelayer:...:authentication:level:medium",
    "amr" : [ "urn:oasis:...:am:password", "urn:oasis:...:am:OTP" ],
    "external_info" : {
        "my.social.net" : {
            "sub" : "817197465059411",
            "name" : "J. Doe",
            "email" : "jdoe@mymail.com"
        }
    },
    "authn_details" : {
        "directSso" : "false", 
        "ipAddress" : "192.168.7.28",
        ...
    }
}