Userinfo#

The userinfo endpoint is an OIDC/OAuth protected resource where client applications can retrieve claims, or assertions, about the logged in end-user. Clients must present a valid access token to retrieve the userinfo claims.

The userinfo endpoint is:

Example of a userinfo response:

GET /openid/userinfo HTTP/1.1
Authorization: Bearer 0f0935c3-a997-40fb-89c2-f7da126ba5d9

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{
    "sub": "76a7a061-3c55-430d-8ee0-6f82ec42501f",
    "dataporten-userid_sec": [
        "feide:andreas@uninett.no"
    ],
    "https://n.feide.no/claims/userid_sec": [
        "feide:andreas@uninett.no"
    ],
    "https://n.feide.no/claims/eduPersonPrincipalName": "andreas@uninett.no",
    "name": "Andreas \u00c5kre Solberg",
    "email": "andreas.solberg@uninett.no",
    "email_verified": false,
    "picture": "https://api.dataporten.no/userinfo/v1/user/media/p:a3019954-902f-45a3-b4ee-bca7b48ab507"
}

The set of information that will be available from userinfo depends on which attribute groups the client has authorized and which scopes are requested in the authorization request.

connect-userid_sec

Warning

Deprecated and will be removed in the future. Included for backward compatibility. Same as https://n.feide.no/claims/userid_sec.

dataporten-userid_sec

Warning

Deprecated. Same as https://n.feide.no/claims/userid_sec. There’s no plan to remove this claim in the near future.

https://n.feide.no/claims/userid_sec

Secondary user IDs, e.g. Feide identifier.

The attribute groups userid-feide, userid-nin, userid-social and eidas determine what information is included here.

https://n.feide.no/claims/eduPersonPrincipalName

Contains eduPersonPrincipalName (Full Feide name) for valid Feide users. Requires the userid-feide attribute group.

https://n.feide.no/claims/nin

For users who logged in with ID-porten, this contains the national identification number. Requires the userid-nin attribute group.

To find the NIN for Feide users, see extended userinfo.

email

Email address of the authenticated user. Requires the email attribute group.

email_verified

This will always be false since Feide does not verify email addresses.

name

The name of the authenticated user. Requires the userinfo-name attribute group.

picture

A picture of the authenticated user, if available. Requires the userinfo-photo attribute group.

sub

The internal ID of the authenticated user. This ID is stable but opaque, not releasing any additional information about the user. Always included.

Extended userinfo#

Additional information from Feide directories is available at the extended userinfo endpoint. If the Feide directory includes the national identity number, this is where it can be found.