UserInfo

Returns identity information about a Warhorn user who has authorized your application to access Warhorn on their behalf.

In order to get identity information about a user, your app:

Makes a request to the Warhorn userinfo endpoint, and
Receives a set of claims about the user.

Using this mechanism means that your app does not need to store any identity information about the user, improving your app’s security and protecting the user’s privacy.

Authentication

Your app must authenticate the userinfo request by providing a user access token. The Authorization request header is used for this purpose, as defined by the OAuth 2.0 Bearer Token Usage specification (RFC6750).

Request parameters

None

Response entity

email: The user’s email address. Returned if the email scope was granted during authorization.
email_verified: Whether or not Warhorn has verified the user’s email address. Returned if the email scope was granted during authorization.
name: The user’s full name (given plus surname). Returned if the profile scope was granted during authorization.
picture: The URL of the user’s profile picture, if known. Returned if the profile scope was granted during authorization.
sub: Can be used by the app as a unique identifier for the user. Always returned.
zoneinfo: An identifier from the zoneinfo database representing the user’s time zone, if known. Returned if the profile scope was granted during authorization.
updated_at: The time at which the user’s information was last updated, as the number of seconds since the epoch. Always returned.

Example

GET /openid/userinfo HTTP/1.1
Host: warhorn.net
Authorization: Bearer y1XX8rsAPrEfdk4GBAXZH2TL


200 OK
Content-Type: application/json; charset=utf-8

{
  "sub":"0000000001",
  "name":"Brian Moseley",
  "picture":"https://www.gravatar.com/avatar/fd792aa44116bbe2917ab5d533088c49",
  "email":"bcm@warhorn.net",
  "email_verified":true,
  "zoneinfo":"America/New_York",
  "updated_at":1560507693
}

The sub and updated_at claims will always be returned. Other claims are included based on the scopes of the provided access token as per below.

Authorization scope

Warhorn Login supports the following scopes, each granting a distinct set of permissions:

Scope	Permissions
`openid`	Issuance of ID token, access to userinfo endpoint, `uid` userinfo claim
`email`	`email` and `email_verified` userinfo claims
`profile`	`name`, `picture` and `zoneinfo` userinfo claims

Warhorn Login does not assume any default scopes. Your app must explicitly ask for the scopes it wants.

In addition to any requested scopes, Warhorn Login may add other scopes and/or allow the user to deny individually requested scopes. Your app should consult the token response to identify the exact set of scopes granted for the access token.

Configuration

ID token issuer: https://warhorn.net
Userinfo endpoint: https://warhorn.net/openid/userinfo

Reference

OpenID Connect UserInfo Endpoint specification