UserInfo
This is an implementation of the OpenID Connect UserInfo endpoint as defined by the OpenID Connect Section 5.3.
This endpoint may be called using the GET or the POST HTTP method.
In version 1.50.0 and later, the UserInfo response can be customized with a lambda using the oauthConfiguration.userinfoPopulateLambda value of the application object. See UserInfo populate lambda.
Request#
Returns the Claims about the authenticated End-User.
OpenAPI Spec
Returns the Claims about the authenticated End-User.
Request Headers#
AuthorizationStringrequiredThe access token issued by FusionAuth as a result of completing one of the supported authorization grants.
Example header:
Authorization: Bearer [access_token]In version 1.50.0 and later, the aud claim is required for all tokens. The aud claim value, or the first value in the case where the claim contains a list, must correspond to an active Application.
If you have a token that was not obtained from an OAuth flow and does not contain the aud claim, consider adding the claim or using the JWT Validate API instead.
In version 1.50.0 and later when the application's oauthConfiguration.scopeHandlingPolicy is set to Strict, to use a token with this endpoint, the token must:
- Be an access token
- Contain the
openidscope in the scope claim
Response#
In version 1.50.0 and later the UserInfo response changes based on the oauthConfiguration.scopeHandlingPolicy value of the application object.
- In
Strictmode the response claims are populated based on the scope values of the provided token and available information on the user object. This behavior more closely aligns with the OpenID Connect 1.0 specification recommendations. - In
Compatibilitymode the response claims are populated based on available information on the user object only and include some claims from the provided token. This is behavior allows for backwards compatibility with versions of FusionAuth before 1.50.0.
Response Codes
| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation. |
| 401 | The Authorization header containing the access token is missing or malformed. |
| 500 | There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files. |
| 503 | The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Response Body#
applicationIdUUIDThe unique Id of the Application for which the user has been authenticated.
In version 1.50.0 and later, when the Scope handling policy is Strict, this field is not populated.
birthdateStringAvailable since 1.1.0The birthDate of the User if available.
Format will be in YYYY-MM-DD as defined by the OpenID Connect core specification.
In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.
emailStringThe email address of the User.
In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the email scope.
email_verifiedBooleanThe verification status of the email. This value is true when the email is verified.
In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the email scope.
family_nameStringAvailable since 1.1.0The last name of the user if available.
In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.
given_nameStringAvailable since 1.1.0The first name of the user if available.
In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.
nameStringAvailable since 1.1.0The full name of the user if available.
In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.
middle_nameStringAvailable since 1.1.0The middle name of the user if available.
In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.
phone_numberStringAvailable since 1.1.0The phone number of the user if available. user.phoneNumber or user.mobilePhone will be used in this order of precedence.
When the Scope handling policy is Strict, this field is only populated when the provided token contains the phone scope.
phone_number_verifiedBooleanAvailable since 1.59.0The verification status of the phone_number. This value is true when the phone number is verified.
This field is only populated when the Scope handling policy is Strict, and the scope claim contains the phone scope.
pictureStringAvailable since 1.1.0A URL to a picture of the user if available.
In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.
preferred_usernameStringAvailable since 1.1.0The username of the user if available.
In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.
rolesArrayThe roles assigned to the user in the authenticated Application.
In version 1.50.0 and later, when the Scope handling policy is Strict, this field is not populated.
subUUIDThe subject of the token. The value is the unique Id of the FusionAuth user.
Example JSON Response With Compatibility Scope Handling
{
"applicationId": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
"birthdate": "1982-03-10",
"email": "richard@piedpiper.com",
"email_verified": true,
"family_name": "Hendricks",
"given_name": "Richard",
"phone_number": "555-555-5555",
"picture": "http://www.piedpiper.com/app/themes/pied-piper/dist/images/photo-richard.png",
"roles": [
"admin"
],
"sub": "858a4b01-62c8-4c2f-bfa7-6d018833bea7"
}
Example JSON Response With Strict Scope Handling And The profile, email And phone Scopes In The Token
{
"birthdate": "1982-03-10",
"email": "richard@pipedpiper.com",
"email_verified": true,
"family_name": "Hendricks",
"given_name": "Richard",
"phone_number": "+15555551212",
"phone_number_verified": true,
"picture": "http://www.piedpiper.com/app/themes/pied-piper/dist/images/photo-richard.png",
"sub": "858a4b01-62c8-4c2f-bfa7-6d018833bea7"
}