2

I have an angular app using oidc-client to access an API that uses IdentityServer3 to provide OpenID Connect authentication.

During authentication the oidc-client throws an error:

sub from user info endpoint does not match sub in access_token

FYI the following steps were successful:

  • POST to the API's /openid/login?signin=xxx
  • redirect to the API's /openid/connect/authorize
  • redirect back to the angular app

But then oidc-client made a call to the API's /openid/connect/userinfo.

The API does not implement the userinfo endpoint, the /openid/connect/userinfo returns an empty object: {}.

And then oidc-client stopped the whole thing with the above error message.

Is there an option in oidc-client to skip that call to the userinfo endpoint? Or is it mandatory for the API to implement that endpoint?

Endy Tjahjono
  • 24,120
  • 23
  • 83
  • 123

1 Answers1

3

oidc will always call the userinfo internally to verify user as by default it is set to true and its incoming access_token by querying the .well-known/openid-configuration. It is also not good idea to skip this. Is your client application registered properly on IDP.

Look at the below oidc-client option configuration which controls the userinfo endpoint:

oidc-client-js

  • loadUserInfo (boolean, default: true): Flag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile.
Sohan
  • 6,252
  • 5
  • 35
  • 56
  • Thanks! With `loadUserInfo` set to false oidc-client didn't send the userinfo request. It skipped to the next step, sending `/openid/connect/checksession` request. – Endy Tjahjono Jun 21 '18 at 11:36