Get user info
GET/users-srv/userinfo
This endpoint is the cidaas OpenID Connect UserInfo endpoint. Call it with a user access token issued by the OAuth 2.0 / OpenID Connect token endpoint. For how clients obtain access tokens (grants, token endpoint, and flows), see OAuth2 basics and the authorization code flow.
Use this endpoint to retrieve claims for the authenticated end user represented by the access token. Do not use it for token validation, admin user lookup, or user search. Pass the access token in the Authorization: Bearer header; there is no request body.
Claim behavior
The response can contain:
- Standard OIDC claims such as
sub,name,given_name,family_name,email,email_verified,preferred_username,locale, andupdated_at - cidaas-specific claims such as
createdTime,lastLoggedInTime,last_accessed_at,userStatus,user_status, andlast_used_identity_id - Tenant-specific custom claims such as
customFields
Claims are optional unless otherwise stated. Missing claims should be treated as not available, not as an API error.
Scopes and field settings
Returned claims depend on granted scopes, Field Settings, and claim visibility rules. Standard OIDC scopes commonly map to claims as follows:
| Scope | Commonly returned claims |
|---|---|
openid | sub and basic identity context |
profile | claims such as name, given_name, family_name, picture, birthdate, locale, preferred_username |
email | email, email_verified |
phone | mobile_number, mobile_number_verified |
address | address |
identities | linked identities |
groups | user groups |
roles | user roles |
consents | accepted consents |
Actual claims can differ by tenant; use the table as a guide, not a guarantee.
A field is included in UserInfo only if it is Enabled, mapped in Field Settings to a scope that was granted on the access token, and not Internal. Internal fields are never returned here (even when the scope was granted); use admin APIs for those. ReadOnly controls self-service profile updates, not UserInfo—ReadOnly fields still appear when the conditions above are met.
Example: enabled=true, internal=true, mapped to profile → the field is not returned in UserInfo, even if profile was granted.
A valid user access token returns 200. If claims are unavailable because scopes were not granted or tenant configuration suppresses them, the endpoint typically returns a reduced claim set rather than an error.
See also Scope Management.
Request
Responses
- 200
- 401
- 404
Successful userinfo response for a valid user bearer token. Returned claims depend on granted scopes and tenant field settings.
Unauthorized — Missing, invalid, or expired access token (bearer token absent or not accepted).
Not Found — User info could not be resolved for the supplied token; the token does not represent an end user subject.