An OpenID Connect UserInfo procedure returns a set of Claims about a user authenticated by a given access token.
The openid scope is required to access endpoints of this type. The claims returned to the requesting client depend on the scope of the access token.
UserInfo procedures have access to all of the Common Procedure API.
OpenID Connect defines a set of Standard Claims returned by the UserInfo endpoint:
Attributes of the address claim:
For a more detailed description of each claim, please consult Section 5. of the OpenID Connect Core specification.
The returned claims are filtered based on the scopes of the access token before they are passed to the requesting client. The sub claim is not covered by a scope and is always returned.
A note on the email_verified and phone_number_verified claims. These are currently mapped to true only if the type attribute on the e-mail address or phone number in the account attributes is set to “verified”. This is currently only set for the phone number when number is registered using SMS OTP authenticator and not set for the email address (for example when registering through the e-mail authenticator) but is planned for a future release.
Userinfo procedures have access to all of the Common Procedure API.
The result function takes one argument, the context object which provides it with all information and helpers it may require.
result
context
The context object has type OpenIdConnectUserinfoTokenProcedureContext.
The main function of a transformation procedure
claims to be returned to the client.
The procedure must return the claims that it wants to be returned to the client.
These are filtered by Curity based on the scopes of the access token before they are actually returned to the client.
1 2 3 4
function result(context) { var responseData = context.getDefaultResponseData(); return responseData; }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
function result(context) { var defaultData = context.getDefaultResponseData(); var responseData = { sub: defaultData.sub, preferred_username: context.accountAttributes.userName, zoneinfo: context.accountAttributes.timezone, email: getPrimarySignificantValue(context.accountAttributes.emails), phone_number: getPrimarySignificantValue(context.accountAttributes.phoneNumbers), extra: 'bonus' }; return responseData; } function getPrimarySignificantValue(multivalued) { var primary = null; if (multivalued && multivalued.length > 0) { multivalued.forEach(function(element) { if (primary == null || !!element.primary) { primary = (typeof element === 'object' ? element.value : element); } }); } return primary; }
The claims returned by the procedure are filtered based on the scope of the access token before sent to the requesting client:
openid
openid profile
openid email
openid phone
openid profile phone