Userinfo

The userinfo endpoint is an OIDC/OAuth protected resource where client applications can retrieve claims, or assertions, about the logged in end-user. Clients must present a valid access token to retrieve the userinfo claims.

The userinfo endpoint is:

Example of a userinfo response:

GET /openid/userinfo HTTP/1.1
Authorization: Bearer 0f0935c3-a997-40fb-89c2-f7da126ba5d9

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{
    "sub": "76a7a061-3c55-430d-8ee0-6f82ec42501f",
    "dataporten-userid_sec": [
        "feide:andreas@uninett.no"
    ],
    "https://n.feide.no/claims/userid_sec": [
        "feide:andreas@uninett.no"
    ],
    "https://n.feide.no/claims/eduPersonPrincipalName": "andreas@uninett.no",
    "name": "Andreas \u00c5kre Solberg",
    "email": "andreas.solberg@uninett.no",
    "email_verified": false,
    "picture": "https://api.dataporten.no/userinfo/v1/user/media/p:a3019954-902f-45a3-b4ee-bca7b48ab507"
}

The set of information that will be available from userinfo depends on which attribute groups the client has authorized and which scopes are requested in the authorization request.

connect-userid_sec

Warning

Deprecated and will be removed in the future. Included for backward compatibility. Same as https://n.feide.no/claims/userid_sec.

dataporten-userid_sec

Warning

Deprecated. Same as https://n.feide.no/claims/userid_sec. There’s no plan to remove this claim in the near future.

https://n.feide.no/claims/userid_sec

Secondary user IDs, e.g. Feide identifier.

The attribute groups userid-feide, userid-nin, userid-social and eidas determine what information is included here.

https://n.feide.no/claims/eduPersonPrincipalName

Contains eduPersonPrincipalName (Full Feide name) for valid Feide users. Requires the userid-feide attribute group.

https://n.feide.no/claims/nin

For users who logged in with ID-porten, this contains the national identification number. Requires the userid-nin attribute group.

To find the NIN for Feide users, see extended userinfo.

email

Email address of the authenticated user. Requires the email attribute group.

email_verified

This will always be false since Feide does not verify email addresses.

name

The name of the authenticated user. Requires the userinfo-name attribute group.

picture

A picture of the authenticated user, if available. Requires the userinfo-photo attribute group.

sub

The internal ID of the authenticated user. This ID is stable but opaque, not releasing any additional information about the user. Always included.

Extended userinfo

Additional information from Feide directories is available at the extended userinfo endpoint. If the Feide directory includes the national identity number, this is where it can be found.