Identity Provision with OpenID Connect


Besides asserting the user’s identity with an ID token, the Connect2id server can also release consented user details (claims) to client apps. They may be included in the ID token itself, or made available for collection at a UserInfo endpoint, in exchange for an OAuth 2.0 access token.

OpenID Connect defines a standard UserInfo schema schema which supports a number of common attributes:

  • The person’s name, in various forms, with optional localisation.

  • Contact details, such as email, phone number and postal address.

  • Profile information, such as home page, picture, birth date and timezone.

The UserInfo schema can be easily extended to supply additional (custom) attributes to client apps, such as:

  • User permissions, derived from LDAP group membership or some other data source.

  • Location-based information.

JSON is the standard format for UserInfo:

   "sub"                     : "alice",
   "email"                   : "[email protected]",
   "email_verified"          : true,
   "name"                    : "Alice Adams",
   "phone_number"            : "+359 (99) 100200305",
   "profile"                 : "",
   "" : [ "audit", "admin" ]

Data sources

The Connect2id server provides a powerful API for sourcing user attributes from one or several locations at a time:

  • Your enterprise MS-AD / LDAP directory

  • SQL databases

  • Third-party identity providers

  • Web services

  • On demand attribute provisioning