OAuth 2.0 and authentication
While OAuth 2.0 is not an authentication protocol, Dataporten offers a simple and convenient userinfo endpoint providing basic information about the end user.
The endpoint will return information about the user depending on the scopes the application has.
The userinfo endpoint is:
Here is an example request:
When using the userinfo endpoint to authenticate the user, the application MUST verify that the
audience property matches the client id of the application.
With only the
userid scopes, the accessible user properties becomes:
User Profile photo
If the application has obtained the
profilephoto public handle of the user, the application may fetch the profile photo from:
The profile photo is often square, and 128 x 128px. If the original dimension is not 1:1, the longest edge will be 128px, and other will be shorter maintaining the same aspect ratio.
Extended userinfo from Feide directories
A separate userinfo endpoint is available for extracting more details directly from the user's Feide directory. This is only available for Feide users. You will need to contact UNINETT
firstname.lastname@example.org to request access to some special scopes to extract information from this endpoint.
The data structure at this endpoint is very similar to the attribute set returned from Feide in the SAML 2.0 Response.
OpenID Connect is a simple authentication/identity layer on top of OAuth. OpenID Connect is a rather new emerging protocol with significant momentum and promising future.
Please read the OAuth 2.0 Security Advisory section.
- Be careful to register only protected and real redirect_uri values.
- Use the state parameter in the authorization request to link the response to the request.
- Make sure you validate the audience property.
- Validate the certificate on the token endpoint and the userinfo endpoint.
- Consider OpenID Connect to further increase security on authentication.
In the application, include a logout link that performs the following:
- First, kills the local session for the current user.
- Then, redirects the user to
- The user will then automatically be logged out from the Dataporten core platform, as well as the authentication source Feide, IDporten or similar, and the end user will be shown a page telling the user he/she is now successfully logged out.
- Notice that the end user will not be automatically logged out from other Dataporten Applications.
email@example.com to get test users' username and password to test your application.