Userinfo Endpoint
The Userinfo Endpoint allows Relying Parties (RPs) to retrieve detailed information of the authenticated user or entity that the user is representing. These information are not included in the ID Token and must be fetched explicitly after authentication.
Currently, it only supports retrieval of the user's authorization data (akin to V1's Authorization Info Endpoint).
This is a protected resource endpoint, so an Access Token (obtained from the Token Endpoint) is required.
Supported Methods
Corppass supports both GET and POST methods for Userinfo Endpoint.
GET
/userinfo
POST
/userinfo
Request
GET
GET /userinfo Request Example
GET /userinfo Request ExampleGET /userinfo HTTP/1.1
Authorization: DPoP eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
DPoP: <signed-dpop-proof-jwt>Request Headers
Authorization
Yes
The Access Token issued by the Token endpoint, passed as a DPoP token in the header.
Example:
Authorization: DPoP <Access-Token>
DPoP
Yes
A signed proof-of-possession JWT that is binded to access token used for this request.
Refer to the Demonstrating Proof of Possession section for more details.
The DPoP proof sent to this endpoint must include the ath claim, which binds it to the DPoP-bound access token.
POST
An example of a POST /userinfo request
POST /userinfo requestRequest Headers
Content-Type
Yes
Must be set to application/x-www-form-urlencoded; charset=utf-8. Indicates the encoding format of the request body.
Authorization
Yes
The Access Token issued by the /token endpoint, passed as a DPoP token in the header.
Example:
Authorization: DPoP <Access-Token>
DPoP
Yes
A signed proof-of-possession JWT that is binded to access token used for this request.
Refer to the Demonstrating Proof of Possession section for more details.
Response
The Userinfo Endpoint returns a response in the form of a JWS (JSON Web Signature) — not plain JSON.
Successful Response Example
An example of how the payload looks for the returned JWS -
Response Structure
This is the structure of the payload in the returned JWS -
aud
String
The client ID of the Relying Party (RP).
iss
String
The issuer of the JWT.
iat
Number
The time the JWT was issued, expressed as a UNIX timestamp.
exp
Number
The expiration time of the JWT. Defaults to 10 minutes from iat.
sub
String
The unique user identifier (e.g. client ID) for the authenticated user.
auth_info
JSON
Authorization information assigned to the user.
Refer to the Auth Info section for more details.
Required scope: authinfo
tp_auth_info
JSON
Third-party authorization information assigned to the user.
Refer to the Third-party Auth Info section for more details.
Required scope: tpauthinfo
Error
An example of an error response
Response Header
The response will always include the WWW-Authenticate header when the access token is missing or invalid. For DPoP-bound tokens, this header specifically indicates issues with the token or its associated proof.
Response Body
invalid_request
400
Required parameter is missing or malformed.
invalid_token
401
Access token is expired, invalid, or not properly bound.
invalid_dpop_proof
401
The DPoP proof is invalid, expired, malformed, or failed verification.
If the request lacks authentication altogether (e.g., no Authorization header or unsupported scheme), Corppass will return HTTP 401 without including any error code, description, or body.
This prevents revealing information about authentication requirements to unauthenticated or potentially malicious clients, as recommended by RFC 6750 Section 3.1.
Last updated