UserInfo Endpoint

Hydrating the Persona

The UserInfo Endpoint is the “Profile Fulfillment” engine of the OIDC protocol. While the ID Token provides the core proof of identity (The “Assertion”), it is intentionally kept lightweight to prevent performance issues and security risks associated with oversized cookies. The UserInfo endpoint acts as a secondary, secure API where the application can “Hydrate” the user’s digital persona with detailed attributes—such as their full name, profile picture, phone number, and custom department data. By presenting a valid Access Token obtained during login, the application can retrieve exactly the level of detail it needs to personalize the user experience and drive internal business logic.

USER-INFO

Profile Delivery

Core Mission

On-Demand Profile Enrichment. Providing a secure, standardized API for retrieving deep user attributes without bloating the size of identity tokens or session cookies.

Like the Concierge Desk: When you check into a hotel, your room key (The ID Token) shows that you are a guest and gets you into the elevator. It doesn't list your food preferences, your home address, or your frequent sleeper number. If the hotel restaurant needs those details to personalize your dinner, they call the Concierge (The UserInfo Endpoint). The Concierge checks your room key (The Access Token) and then provides the specific, rich details required to fulfill your request.

Social Logins / Profile Synchronization / Personalized Dashboards

The Claims Retrieval Strategy

Architects must decide which identity attributes belong in the lightweight ID Token and which should be retrieved on-demand.

Strategic Data Placement

Location	Ideal Data	Benefits	Trade-off
ID Token	sub, iss, aud, auth_time.	Instant validation; No extra call.	Token size bloat; No real-time updates.
UserInfo	picture, address, phone.	Rich, large data; Real-time lookup.	Requires extra network request.
Local Cache	App-specific preferences.	High performance; Private logic.	Requires manual sync with IdP.
External API	HR data, Org charts.	”Truth” from the source.	Complex multi-source integration.

The Profile Hydration Cycle

UserInfo retrieval occurs immediately after the initial authentication flow to complete the creation of the local user profile.

sequenceDiagram
    participant App as Application
    participant IdP as Identity Provider
    
    Note over App: Authentication Flow Completes
    App->>App: Validate ID Token (sub=user_123)
    App->>IdP: GET /userinfo (Authorization: Bearer <Access_Token>)
    IdP->>IdP: Verify Scopes & Token Validity
    IdP-->>App: JSON Profile (email, name, picture, etc.)
    App->>App: Hydrate Local User Session

1

Establish Identity

The application completes the OIDC flow and receives an ID Token. It extracts the unique Subject identifier (`sub`) to know which user it is dealing with locally.

2

Request Enrichment

Using the Access Token (Bearer), the app makes a server-to-server call to the UserInfo endpoint discovered via metadata. It requests the specific claims it needs to personalize the UI.

3

Hydrate & Store

The IdP returns a standard JSON object containing the permitted user attributes. The application maps these to its local user database or session storage, "Hydrating" the user's persona for the duration of their visit.

---

Technical UserInfo Integration

Programmatic retrieval requires a properly authenticated HTTP request to the protected profile endpoint.

Retrieval Logic (JavaScript Example)

// Simplified UserInfo retrieval logic
async function hydrateUserProfile(accessToken) {
    // 1. Fetch from standardized endpoint (Discovered via OIDC Metadata)
    const response = await fetch("https://auth.company.com/userinfo", {
        headers: {
            "Authorization": `Bearer ${accessToken}`,
            "Accept": "application/json"
        }
    });

    if (!response.ok) throw new Error("Profile hydration failed");

    // 2. Return the enriched profile object
    return await response.json();
}

OIDC Implementation Guides

Master the technical nuances of user attribute delivery and profile management.

OIDC Overview

Strategic foundational principles for identity federation and authentication Layering.

Claims Management

Deep-dive into the structure, meaning, and standardization of OIDC identity attributes.

ID Token Anatomy

Understanding the lightweight identity assertion that initiates the session.

Scope Design

Configuring the permissions that allow an app to access specific UserInfo claims.

Next Steps

• Explore UserInfo Discovery for identifying the endpoint URL dynamically.
• Review Rate Limiting and Caching for optimizing high-volume profiling.
• Check Privacy and Data Redaction for guidelines on handling sensitive PII from UserInfo.