OPUserInfo

Owned by Scott Cantor
Last updated: Sept 12, 2023 by Henri Mikkonen
2 min read

File(s): conf/relying-party.xml, conf/oidc.properties
Format: Native Spring, Spring Properties

Overview

The OIDC.UserInfo profile configuration bean enables support for the OIDC UserInfo endpoint, which relies on the access tokens issued by the Authorization endpoint to retrieve the subject's claims. It is analagous to the (very old) Shibboleth practice of relying on Attribute Queries to query for user attributes instead of passing them over the front channel, but with weaker security guarantees. It does not support a lot of options because it is required to rely on the bearer access token for security.

Configuration

The most typical options used are described in more detail below, but not every obscure option is discussed. See the javadoc for all of the possible configuration options for this profile (note that some of them are inherited from parent classes).

Virtually all the configuration options below can be set via two different properties: a static property that explicitly sets the value to use and a lookup strategy or predicate property that takes a Function or Predicate and returns the value to use. The dynamic property is generally named "propertyNamePredicate" or "propertyNameLookupStrategy" for Boolean- and non-Boolean-valued properties respectively.

Options specific to the OIDC UserInfo flow:

Name

Type

Description

Name

Type

Description

resolveAttributes 3.1

Boolean

Whether to run the attribute resolution/filtering step

deniedUserInfoAttributes

Set<String>

Specifies IdPAttributes to omit from UserInfo token

encryptionOptional 3.4

Boolean

Whether to automatically disable encryption if the relying party does not possess a suitable key (defaults to true)

unregisteredClientPolicy 4.0

Map<String, UnregisteredClientPolicy>

The policy used to verify unverified clients when this profile is enabled in the unverified RP config.

See wiki page for full description and defaults

The following property can be used to globally control the last setting above:

  • idp.oidc.deniedUserInfoAttributes

This option relates to "claims splitting" and override the typical processing rules for when to insert claims into particular tokens. Typically most "data" is omitted from the front-channel ID token unless no authorization code is being issued, with the claims only accessed via the UserInfo endpoint. This setting, together with the same option on the OIDC.SSO profile bean, prevent attributes from appearing in the UserInfo response.