Userinfo is a standard endpoint associated with the Resource Server for the TINFO service. It constitutes a Protected Endpoint and requires a Default Bearer Access Token contain in the Authorization header of the request.

Due to the possibility of token substitution attacks, the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the ID Token. The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used.

The response from Userinfo is signed and should be validated accordingly.

Request parameters

None

Response elements

The response is a signed JSON structure (JWS) containing additional claims about an authenticated user beyond the claims that are directly contain in the ID Token.  See description of the TINO service for further details on supported claims. Below is an example response from the OIDC Provider in its BankID pilot configuration in pre-production:

{
"sub": "9578-6000-4-127698",
"iss": "https://preprod.bankidapis.no",
"iat": 1485866449,
"exp": 1485870048,
"preferred_username": "Testesen, Test",
"name": "Testesen, Test",
"given_name": "Test",
"family_name": "Testesen",
"birthdate": "1980-03-09",
"nnin": "09038000010"
}