UserInfo

This is an implementation of the OpenID Connect UserInfo endpoint as defined by the OpenID Connect Section 5.3. This endpoint may be called using the GET or the POST HTTP method.

In version 1.50.0 and later, the UserInfo response can be customized with a lambda using the oauthConfiguration.userinfoPopulateLambda value of the application object. See UserInfo populate lambda.

Request#

Returns the Claims about the authenticated End-User.

GET/oauth2/userinfo
OpenAPI Spec

Returns the Claims about the authenticated End-User.

POST/oauth2/userinfo

Request Headers#

AuthorizationStringrequired

The access token issued by FusionAuth as a result of completing one of the supported authorization grants.

Example header:

Authorization: Bearer [access_token]

In version 1.50.0 and later, the aud claim is required for all tokens. The aud claim value, or the first value in the case where the claim contains a list, must correspond to an active Application.

If you have a token that was not obtained from an OAuth flow and does not contain the aud claim, consider adding the claim or using the JWT Validate API instead.

In version 1.50.0 and later when the application's oauthConfiguration.scopeHandlingPolicy is set to Strict, to use a token with this endpoint, the token must:

  • Be an access token
  • Contain the openid scope in the scope claim

Response#

In version 1.50.0 and later the UserInfo response changes based on the oauthConfiguration.scopeHandlingPolicy value of the application object.

  • In Strict mode the response claims are populated based on the scope values of the provided token and available information on the user object. This behavior more closely aligns with the OpenID Connect 1.0 specification recommendations.
  • In Compatibility mode the response claims are populated based on available information on the user object only and include some claims from the provided token. This is behavior allows for backwards compatibility with versions of FusionAuth before 1.50.0.

Response Codes

CodeDescription
200The request was successful. The response will contain a JSON body.
400The request was invalid and/or malformed. The response will contain a JSON message with the specific errors. The error response JSON is covered in the OAuth Error section of the API documentation.
401The Authorization header containing the access token is missing or malformed.
500There was a FusionAuth internal error. A stack trace is provided and logged in the FusionAuth log files.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

Response Body#

applicationIdUUID

The unique Id of the Application for which the user has been authenticated.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is not populated.

birthdateStringAvailable since 1.1.0

The birthDate of the User if available. Format will be in YYYY-MM-DD as defined by the OpenID Connect core specification.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

emailString

The email address of the User.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the email scope.

email_verifiedBoolean

The verification status of the email. This value is true when the email is verified.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the email scope.

family_nameStringAvailable since 1.1.0

The last name of the user if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

given_nameStringAvailable since 1.1.0

The first name of the user if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

nameStringAvailable since 1.1.0

The full name of the user if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

middle_nameStringAvailable since 1.1.0

The middle name of the user if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

phone_numberStringAvailable since 1.1.0

The phone number of the user if available. user.phoneNumber or user.mobilePhone will be used in this order of precedence.

When the Scope handling policy is Strict, this field is only populated when the provided token contains the phone scope.

phone_number_verifiedBooleanAvailable since 1.59.0

The verification status of the phone_number. This value is true when the phone number is verified.

This field is only populated when the Scope handling policy is Strict, and the scope claim contains the phone scope.

pictureStringAvailable since 1.1.0

A URL to a picture of the user if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

preferred_usernameStringAvailable since 1.1.0

The username of the user if available.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is only populated when the provided token contains the profile scope.

rolesArray

The roles assigned to the user in the authenticated Application.

In version 1.50.0 and later, when the Scope handling policy is Strict, this field is not populated.

subUUID

The subject of the token. The value is the unique Id of the FusionAuth user.

Example JSON Response With Compatibility Scope Handling

{
  "applicationId": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
  "birthdate": "1982-03-10",
  "email": "richard@piedpiper.com",
  "email_verified": true,
  "family_name": "Hendricks",
  "given_name": "Richard",
  "phone_number": "555-555-5555",
  "picture": "http://www.piedpiper.com/app/themes/pied-piper/dist/images/photo-richard.png",
  "roles": [
    "admin"
  ],
  "sub": "858a4b01-62c8-4c2f-bfa7-6d018833bea7"
}

Example JSON Response With Strict Scope Handling And The profile, email And phone Scopes In The Token

{
  "birthdate": "1982-03-10",
  "email": "richard@pipedpiper.com",
  "email_verified": true,
  "family_name": "Hendricks",
  "given_name": "Richard",
  "phone_number": "+15555551212",
  "phone_number_verified": true,
  "picture": "http://www.piedpiper.com/app/themes/pied-piper/dist/images/photo-richard.png",
  "sub": "858a4b01-62c8-4c2f-bfa7-6d018833bea7"
}