Integration Server 10.11 | Built-In Services Reference Guide | Security Folder | Summary of Elements in this Folder | pub.security:userInfoSpec
 
pub.security:userInfoSpec
WmPublic. Specification for the signature of a UserInfo service that performs custom processing based on the personally identifiable information in the OpenID Connect UserInfo token returned from the OpenID Provider.
Input Parameters
userInfoClaims
Document Optional. A document (IData) containing the claims from the UserInfo token returned by the OpenID Provider’s UserInfo Endpoint.
userInfoError
Document Optional. A document (IData) containing the error when the OpenID Provider returns an unsuccessful response.
Integration Server redirects the User Agent to the OpenID Provider’s Authorization Endpoint to authenticate the End User. If the OpenID Provider responds to that redirection with an error, Integration Server will populate error with the error information.
Key
Description
statusCode
String Optional. The HTTP status code returned by the OpenID Provider’s UserInfo Endpoint.
errorType
String The type of error returned by the OpenID Provider’s UserInfo Endpoint. The possible values are defined in section 4.1.2.1 of the OAuth 2.0 specification.
errorDescription
String Optional. A description of the error returned by the OpenID Provider’s UserInfo Endpoint.
Output Parameters
userInfoResponse
Document A document (IData) for the result of the UserInfo service.
Key
Description
rejectRequest
java.lang.Boolean Whether or not to reject the request.
*If Integration Server runs in the FIPS mode, ensure to use FIPS-compliant keys.
*True instructs Integration Server to reject the request.
Integration Server does not access the requested resource in the original request from the User Agent. Processing of the request stops and a response is sent to the User Agent. Integration Server uses the contents of rejectRequest, statusCode, statusCode and responseEntity in the response.
*False instructs Integration Server to accept the request.
Integration Server continues processing of the request by selecting an OpenID Provider User and setting the user for the current session. Integration Server sends the User Agent an HTTP 302 response with a session cookie, redirecting the User Agent back to the originally requested resource.
statusCode
java.lang.Integer Conditional. HTTP status code to be returned in the response sent to the User Agent.
statusCode is required when rejectRequest is set to false.
If rejectRequest is true, statusCode is not returned to the User Agent.
reasonPhrase
String Conditional. HTTP reason phrase to be included in the response sent to the User Agent.
reasonPhrase is optional when rejectRequest is set to false.
If rejectRequest is true, reasonPhrase is not returned to the User Agent.
responseHeaders
Document List Conditional. A document list (IData []) containing the header fields to set in the response sent to the User Agent.
responseHeaders is optional when rejectRequest is set to false.
If rejectRequest is true, responseHeaders is not returned to the User Agent.
Key
Description
fieldName
String Name of the header field to set.
fieldValue
String Value of the header field to set.
responseEntity
String Conditional. Body of the response to be sent to the User Agent.
responseEntity is optional when rejectRequest is set to false.
If rejectRequest is true, responseEntity is not returned to the User Agent.
Usage Notes
A UserInfo service performs custom processing based on the personally identifiable information in the OpenID Connect UserInfo token returned from the OpenID Provider. The logic of the UserInfo service must determine whether to accept or reject the original resource request made by the User Agent.
The pub.security:userInfoSpec must be used as the signature for any service used as a UserInfo service. If the UserInfo service does not use the pub.security:userInfoSpec specification as the service signature, Integration Server ignores the results of the UserInfo service and continues to process the request as if the UserInfo service had not been invoked.
Integration Server can only reject a request using a UserInfo service if the UserInfo service is invoked synchronously. When registering the UserInfo service with the OpenID Provider, make sure to register the service as synchronous if you want to be able to reject a User Agent request based on the output of th UserInfo service.
Integration Server populates userInfoClaims or error depending on the response from the OpenID Provider’s UserInfo Endpoint.