| Internet-Draft | Simplified Userinfo Response | October 2025 |
| Parecki | Expires 16 April 2026 | [Page] |
This specification defines an extension to the OpenID Connect OAuth Token Endpoint Response to allow a Relying Party (RP) to retrieve the user's info (e.g. subject identifier or profile info) directly in the token response, rather than being encapsulated within a full ID Token.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://aaronpk.github.io/openid-simplified-userinfo-response/draft-openid-simplified-userinfo-response.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-openid-simplified-userinfo-response/.¶
Discussion of this document takes place on the OpenID Connect Working Group mailing list (mailto:openid-specs-ab@lists.openid.net).¶
Source for this draft and an issue tracker can be found at https://github.com/aaronpk/openid-simplified-subject-response.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 16 April 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
This specification defines an extension to the OpenID Connect [OpenID] OAuth Token Endpoint Response to allow a Relying Party (RP) to retrieve the user's info directly in the token response, rather than being encapsulated within a full ID Token.¶
This simplifies client implementations that do not require signed statements about the user's authentication from the OpenID Provider, and wish to avoid the overhead, complexity, and dependency management associated with parsing and validating a JSON Web Token (JWT).¶
This specification provides two different ways the OpenID Provider can return info in the Token Response:¶
The "Simplified Subject Response", returning only the sub claim in the token response¶
The "Simplified Userinfo Response", returning a new top-level property id_info as a JSON object containing the same claims that would have been in the ID token.¶
This mechanism MUST NOT be used as a replacement for a full OIDC flow when the RP requires a signed response, such as when the RP needs non-repudiation of the claims in the ID token.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
To signal its intent to receive only the Subject Identifier in the Token Response, the Relying Party (OAuth Client) uses a new scope value in the Authorization Request.¶
This specification defines a new scope value: subject¶
subjectRequests that the Authorization Server (AS) return the Subject Identifier (sub) directly in the Token Response, and omit the id_token.¶
This specification defines a new field to be returned in the Token Endpoint response: sub.¶
In the Authorization Code flow, upon successful validation of the Authorization Code, the PKCE Code Verifier, and optional client authentication, the Authorization Server constructs a Token Response including the new field sub.¶
The value of the sub MUST be identical to the value of the sub that would have otherwise been returned in the ID token.¶
If the Client included the subject scope in the initial Authorization Request, the OpenID Provider MUST include the sub parameter in the Token Response. The OpenID Provider MAY also return the sub parameter if the Client did not include the subject scope in the initial Authorization Request.¶
If the sub parameter is included in the Token Response, the Authorization Server MUST NOT include the id_token parameter.¶
No change is made to the requirements of the standard OAuth 2.0 [RFC6749] parameters in the response or any additional parameters defined by extensions.¶
Example successful token response¶
{
"access_token": "a5c64fbb3e03d973d3c7ef",
"token_type": "Bearer",
"expires_in": 3600,
"sub": "b46b2f1f2b7686d"
}
¶
To signal its intent to receive the user info in the Token Response instead of in an ID token, the Relying Party (OAuth Client) uses a new scope value in the Authorization Request.¶
This specification defines a new scope value: id_info¶
id_infoRequests that the Authorization Server (AS) return the user info directly in the Token Response, and omit the id_token.¶
This specification defines a new field to be returned in the Token Endpoint response: id_info.¶
In the Authorization Code flow, upon successful validation of the Authorization Code, the PKCE Code Verifier, and optional client authentication, the Authorization Server constructs a Token Response including the new field id_info.¶
The value of the id_info is a JSON object, and the claims MUST be identical to the claims about the user and their authentication that would have otherwise been returned in the ID token. The following claims about the OpenID Provider and ID token itself SHOULD NOT be returned: iss, aud, nonce.¶
If the Client included the id_info scope in the initial Authorization Request, the OpenID Provider MUST include the id_info parameter in the Token Response. The OpenID Provider MAY also return the id_info parameter if the Client did not include the id_info scope in the initial Authorization Request.¶
If the id_info parameter is included in the Token Response, the Authorization Server MUST NOT include the id_token parameter.¶
No change is made to the requirements of the standard OAuth 2.0 [RFC6749] parameters in the response or any additional parameters defined by extensions.¶
Example successful token response¶
{
"access_token": "a5c64fbb3e03d973d3c7ef",
"token_type": "Bearer",
"expires_in": 3600,
"id_info": {
"sub": "b46b2f1f2b7686d",
"exp": 1311281970,
"auth_time": 1311280969,
"acr": "phr"
}
}
¶
The Subject Identifier and Userinfo response fields MUST only be returned from the token endpoint.¶
The Subject Identifier and Userinfo MUST NOT be returned in the Authorization Response (the URL redirect back to the client), as this passes through the front channel and this shortcut provides no mechanism to for the RP to validate the legitimacy of the value in the response.¶
The simplified response defined here provides no cryptographic signature over the sub or id_info values. Their integrity and authenticity are solely reliant on the security of the transport layer of the Token Endpoint and the preceding Authorization Code + PKCE exchange.¶
This document has no IANA actions.¶
The authors would like to thank the following people for their review and contributions to this draft: Brian Campbell.¶