4. Userinfo Endpoint

The Userinfo Endpoint allows Relying Parties (RPs) to retrieve detailed information about the authenticated Entity and Acting User. These details are not included in the ID Token and must be fetched explicitly after authentication.

This is a Protected Resource, requiring a valid Access Token (obtained from the Token Endpoint) for access.

Currently, this endpoint primarily returns the user's Authorization Data (e.g., roles, authorized transactions), similar to the Legacy Authorization Info Endpoint.

Request

Supported Methods

Corppass supports both GET and POST methods for the Userinfo Endpoint.

The OIDC Specification (Section 5.3.2) recommends using the GET method.

Request Headers

Header
Required
Description

Content-Type

POST only

Indicates the encoding format of the request body.

Must be set to application/x-www-form-urlencoded; charset=utf-8.

Authorization

Yes

Carries the Access Token issued at the Token Endpoint, using the DPoP scheme instead of the typical Bearer scheme.

Example:

Authorization: DPoP <Access-Token>

DPoP

Yes

A signed proof-of-possession JWT bound to the Access Token.

This proof must include the ath (Access Token Hash) claim. This ensures the proof is cryptographically linked to the specific Access Token used in the request, preventing token misuse.

Refer to the Demonstrating Proof of Possession section for more details.

Sample GET Request (Recommended)

GET /userinfo HTTP/1.1
Authorization: DPoP eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
DPoP: <signed-dpop-proof-jwt>

Sample POST Request

Request body is not required and will be ignored for POST request.

Success Response

The Userinfo Endpoint returns a response in the form of a Signed JWT (JWS: JSON Web Signature), not a plain JSON object.

Relying Parties must decode and verify the signature using Corppass’s JWKS before consuming the payload.

Response Structure (Decoded Payload)

The following table details the claims found in the decoded JWS payload:

Claim
Type
Description

aud

String

The client ID of the Relying Party (RP).

iss

String

The issuer of the JWT.

iat

Number

The time the JWT was issued, expressed as a UNIX timestamp.

exp

Number

The expiration time of the JWT.

Defaults to 10 minutes from iat.

sub

String

The unique user identifier (e.g. client ID) for the authenticated user.

auth_info

JSON

Authorization information assigned to the user.

Refer to the Auth Info section for more details.

Required scope: authinfo

tp_auth_info

JSON

Third-party authorization information assigned to the user.

Refer to the Third-party Auth Info section for more details.

Required scope: tpauthinfo

Sample Response (Decoded JWS Payload)

Error Response

If the Access Token is invalid, expired, or the DPoP proof fails, Corppass returns a JSON response containing an error code and description.

Response Header

The response will always include the WWW-Authenticate header when the access token is missing or invalid. For DPoP-bound tokens, this header specifically indicates issues with the token or its associated proof.

Response Body

Field
Type
Description

error

String

The error code identifying the type of error.

See Error Codes below.

error_description

String

A human-readable description of the error.

Error Codes

Error Code
HTTP Status
Description

invalid_request

400

Required parameter is missing or malformed.

invalid_token

401

Access token is expired, invalid, or not properly bound.

invalid_dpop_proof

401

The DPoP proof is invalid, expired, malformed, or failed verification.

If the request lacks authentication altogether (e.g., no Authorization header or unsupported scheme), Corppass will return HTTP 401 without including any error code, description, or body.

This prevents revealing information about authentication requirements to unauthenticated or potentially malicious clients, as recommended by RFC 6750 Section 3.1.

Sample Response

PreviousAccess TokenNextAuth Info

Last updated