| description |
|---|
This page provides the technical details of the OpenID Connect UserInfo policy |
Use the openid-userinfo policy to get the OpenId Connect user info from an OAuth2 resource through its UserInfo endpoint.
{% hint style="info" %}
The request will fail with a 401 status if the policy’s Oauth2 resource is misconfigured or not defined at all. To troubleshoot this, check the WWW_Authenticate header for more information.
{% endhint %}
Functional and implementation information for the openid-userinfo policy is organized into the following sections:
{% hint style="warning" %} This policy can be applied to v2 APIs and v4 HTTP proxy APIs. It cannot be applied to v4 message APIs or v4 TCP proxy APIs. {% endhint %}
{% tabs %} {% tab title="HTTP proxy API example" %} Sample policy configuration for a payload extraction flow:
{
"name": "OpenId Connect - UserInfo",
"description": "",
"enabled": true,
"policy": "policy-openid-userinfo",
"configuration": {
"oauthResource": "dummy-oauth-resource",
"extractPayload": true
}
}{% endtab %} {% endtabs %}
The phases checked below are supported by the openid-userinfo policy:
| v2 Phases | Compatible? | v4 Phases | Compatible? |
|---|---|---|---|
| onRequest | true | onRequest | true |
| onResponse | false | onResponse | false |
| onRequestContent | false | onMessageRequest | false |
| onResponseContent | false | onMessageResponse | false |
The openid-userinfo policy can be configured with the following options:
| Property | Required | Description | Type | Default |
|---|---|---|---|---|
| oauthResource | true | The OAuth2 resource used to get UserInfo | string | |
| extractPayload | false | When set to true, the payload of the response from the UserInfo endpoint is set in the openid.userinfo.payload gateway attribute | boolean |
{% @github-files/github-code-block url="https://github.com/gravitee-io/gravitee-policy-OpenID-Connect-UserInfo/blob/master/CHANGELOG.md" %}