Making a request to /userinfo as part of authentication
We can add request parameters to the /userinfo request using an advanced mapping rule.
We can configure the relying party to make a request to /userinfo as part of the authentication request. This request is useful when the ID Token does not contain complete identity information. Identity mapping is also needed to produce a valid subject in cases where an ID Token is not issued, and only an access token is available.
The configured /userinfo URL is invoked with the Authorization: Bearer header as defined by section 5.3.1 in the specification: http://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest
If metadata is configured, and no /userinfo URL is present in the metadata, then the /userinfo request is not made.
The successful /userinfo response is added to the STSUU attribute list. The attributes have the type urn:ibm:SAM:oidc:rp:userinfo:rsp:param.
We can add request parameters to the /userinfo request using an advanced mapping rule.
Add context attributes with the type urn:ibm:SAM:oidc:rp:userinfo:req:param to include them in the query string of the request.
For example, this code adds a nonce value to the /userinfo request.
var nonce = new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("nonce", "urn:ibm:SAM:oidc:rp:userinfo:req:param", "myNonce"); stsuu.addContextAttribute(nonce);
After we create a mapping rule, we can add it to a Relying Party configuration. Use the Advanced Configuration page in the UI wizard, when either creating or editing a Relying Party federation or partner.
Parent topic: OpenID Connect Relying Party federations