The UserInfo Endpoint is an OAuth 2.0 protected resource that returns claims about the authenticated end user. Note that the /{environmentId}/as/userinfo request takes an access token in the Authorization header to get the claims about the user.

You can use the POST /{environmentId}/as/userinfo operation to obtain a userinfo authorization grant.

Userinfo authorization requests

A userinfo authorization request is used with applications associated with the openid resource. This type of request takes an access token in the Authorization header to get the claims about the user.

The value for the Authorization header is the bearer token returned by the following authorization request:

https://auth.pingone.com/{environmentId}/as/authorize?client_id={applicationId}&redirect_uri=https://example.com&response_type=token&scope=openid profile email address&acr_values=Single_Factor

In the authorization request, the scope attribute must specify the openid value, which includes the sub claim (the user ID) in the response data. Additional OpenID Connect scopes such as profile, address, phone and email can also be included to add more user claims to the response.

Grants and scopes with userinfo

The access token used with the /{environmentId}/as/userinfo endpoint must be generated by an implicit or authorization_code grant type. In addition, the authorization request used to generate the access token must include the openid scope. The authorization request can also include any other OpenID Connect scopes (as shown in the sample above) to return additional user claims. PingOne user scopes such as p1:reset:userPassword are not applicable to userinfo authorization requests and applications associated with the openid resource.