|Authentication||Default Bearer Access Token|
|Response elements||Signed JSON (JWS) according to standard|
Userinfo is a standard endpoint associated with the Resource Server for the TINFO service. It constitutes a Protected Endpoint and requires a Default Bearer Access Token contain in the Authorization header of the request. Userinfo provides additional claims about an authenticated user beyond the claims that are directly contain in the ID Token.
Due to the possibility of token substitution attacks, the UserInfo Response is not guaranteed to be about the enduser identified by the sub (subject) element of the ID Token. The sub Claim in the UserInfo Response must be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used.
The response from Userinfo is signed and should be validated accordingly.
The following example shows a request / response pair for the Userinfo endpoint at the BankID pilot in pre-production. The example is generated from Postman (which is configured as a client at the OIDC Provider). The value for the access token in the authorization header (
Authorization: Bearer 4497db915b5b479191c81a7854a2fa8) is taken from the corresponding example for the Token endpoint.