Overview#
Userinfo endpoint is an OAuth2 protected endpoint that is used to retrieve claims about an authenticated end-user. Userinfo endpoint is defined in the OpenID Connect specification.
URL to access userinfo endpoint on Janssen Server is listed in the response of Janssen Server's well-known configuration endpoint given below.
https://janssen.server.host/jans-auth/.well-known/openid-configuration
userinfo_endpoint claim in the response specifies the URL for userinfo endpoint. By default, userinfo endpoint looks
like below:
https://janssen.server.host/jans-auth/restv1/userinfo
In response to a valid request, the userinfo endpoint returns user information in JSON format similar to below:
HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "3482897610054",
"jti": "sdu28g9c761g0y0g5",
"client_id": "db6daf8c-ab1b-4010-9fb0",
"name": "Chad Wick",
"given_name": "Chad",
"family_name": "Wick",
"preferred_username": "c.wick",
"email": "cwick@jans.com",
"picture": "http://mysite.com/mypic.jpg"
}
User Info response should contain: sub, jti and client_id claims.
Since userinfo endpoint is an OAuth2 protected resource, a valid access token with appropriate scope is required to access the endpoint. More information about request and response of the userinfo endpoint can be found in the OpenAPI specification of jans-auth-server module.
Disabling The Endpoint Using Feature Flag#
userinfo endpoint can be enabled or disable using USERINFO feature flag.
Use Janssen Text-based UI(TUI) or Janssen command-line interface to perform this task.
When using TUI, navigate via Auth Server->Properties->enabledFeatureFlags to screen below. From here, enable or
disable USERINFO flag as required.
Configuration Properties#
Userinfo endpoint can be further configured using Janssen Server configuration properties listed below. When using
Janssen Text-based UI(TUI) to configure the properties,
navigate via Auth Server->Properties.
- mtlsUserInfoEndpoint
- userInfoEncryptionAlgValuesSupported
- userInfoEncryptionEncValuesSupported
- userInfoEndpoint
- userInfoSigningAlgValuesSupported
Using Scopes To Control Claim Release#
Standard Scopes#
In context of OpenID Connect specification, claim information released by userinfo endpoint can be controlled using scopes. Janssen Server supports all standard scopes and releases corresponding claims as per OpenID Connect specification. Administrator can customise standard scopes and define claims to be linked to each standard scope.
When using Janssen Text-based UI(TUI) to configure the scopes, navigate via
Auth Server->Scopes->Add Scopes->Scope Type as OpenID->search for a standard scope like address
Dynamic Scopes#
In addition to standard scopes, Janssen server allows defining custom scopes which can be associated to user-defined list of claims. This allows administrators to create custom groupings of claims.
When using Janssen Text-based UI(TUI), navigate via
Auth Server->Scopes->Add Scopes->Scope Type as Dynamic
Interception Scripts#
Response from userinfo can be further customized using dynamic scope interception script.
Administrator can attach a dynamic scope script to a dynamic scope using Janssen Text-based UI(TUI).
Navigate to Auth Server->Scopes->Add Scopes->Scope Type as Dynamic->Dynamic Scope Script
Want to contribute?#
If you have content you'd like to contribute to this page in the meantime, you can get started with our Contribution guide.
Created: 2022-07-21
