- PAS 3.0 or higher installed

- OpenID Connect Provider configured using Scenarios->OIDC

- The PhenixID OIDC token endpoint must have returned an access_token, which value is bound to the session as an alias.

- User information must have been stored in the session during authentication (using session* valves in the pipe). Consult the valves documentation for usage examples.

- Login to configuration manager

- Click the Advanced tab

- Open Modules (click on the pen)

- Locate the api module (com.phenixidentity~phenix-api-authenticate)

- Locate the tenant for the OpenID Connect Provider configured

- Add userinfo as an allowed operation.

Example:

{
		"module": "com.phenixidentity~phenix-api-authenticate",
		"enabled": "true",
		"config": {
			"tenant": [
				{
					"id": "t1",
					"displayName": "Tenant1",
					"allowedOperation": [
						"userinfo"
					]
}
			]
		},
		"id": "authapi_module"
	}

NB! If you have multiple logical OpenID Connect Providers (=tenants), you should rename userinfo to something unique for the tenant, for example userinfo_t1. Also make sure to set the pipe id to the same value (see later step).

- Click Stage Changes and Commit Changes

- Click the Advanced tab

- Open Pipes (click on the pen)

- Add this pipe.

{
		"id": "userinfo",
		"valves": [
			{
                "name": "ItemCreateValve",
                "config": {
                    "dest_id": "userinfo_props"
                }
            },
            {
                "name": "PropertyAddValve",
                "config": {
                    "name": "authorization",
                    "value": "{{request.Authorization}}"
                }
            },
            {
                "name": "PropertyReplaceValve",
                "config": {
                    "source": "authorization",
                    "dest": "access_token",
                    "token": "Bearer ",
                    "replacement": ""
                }
            },
            {
                "name": "SessionResolveValve",
                "config": {
                    "alias": "{{item.access_token}}",
                    "require_session": "true",
                    "require_auth_session": "false"
                }
            },
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "name",
					"value": "{{session.name}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "given_name",
					"value": "{{session.givenName}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "family_name",
					"value": "{{session.sn}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "email",
					"value": "{{session.mail}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "phone_number",
					"value": "{{session.mobile}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "sub",
					"value": "{{session.user_id}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "employee_role",
					"value": "{{session.role}}"
				}
			},{
        "name": "PropertyRemoveValve",
        "config": { 
              "name":"access_token,authorization"
        }
}
		],
		"created": "2017-11-13T09:53:46.595Z"
	}

- Remove / add claims above. by adding/removing valves, to suite your environment

- Change claim-name - session attribute name mapping to suite your environment

- If additional SQL / LDAP lookups should be performed, please consult the valves documentation to add such lookups.

- If the userinfo operation was named something else, set the same value as the pipe id.

- Click Stage Changes and Commit Changes

- Click the Advanced tab

- Click OIDC_OP

- Locate the OP configuration for the OP provider (tenant)

- Add the UserInfo endpoint by adding the config parameter userinfo_endpoint with a value pointing to the pipe previously added. Also, add the tenant ID to the URL. 

"userinfo_endpoint" : "https://<PAS_SERVER>/api/authentication/userinfo?tenant=<TENANT_ID>",


FULL EXAMPLE:
{
        "id": "t1",
        "tenant": "t1",
        "guide_ref": "guides.authentication.oidc.uidpwdsms",
        "config": {
            "authorization_endpoint": "https://demo.phenixid.net/oidc/authenticate/oidc_otp",
            "userinfo_endpoint": "https://demo.phenixid.net/api/authentication/userinfo?tenant=t1",
            "issuer": "https://demo.phenixid.net/t1",
            "token_endpoint": "https://demo.phenixid.net/api/authentication/2a4b03b4-7073-4728-9149-6bb7409187e7?tenant=t1",
            "jwks_uri": "https://demo.phenixid.net/oidc_otp/.well-known/openid-configuration/jwks",
            "response_types_supported": [
                "code"
            ],
            "grant_types_supported": [
                "authorization_code"
            ],
            "subject_types_supported": [
                "public"
            ],
            "id_token_signing_alg_values_supported": [
                "RS256"
            ],
            "scopes_supported": [
                "openid"
            ],
            "token_endpoint_auth_methods_supported": [
                "none"
            ],
            "claims_supported": [
                "iss",
                "ver",
                "sub",
                "given_name",
                "family_name"
            ],
            "end_session_endpoint": "https://demo.phenixid.net/oidc/authenticate/logout/",
            "request_parameter_supported": "true",
            "signStore": "956bee24-98f0-41a5-9e27-76f8c89d1e1d"
        },
        "created": "2019-10-21T07:59:30.621Z"
    }

- If the userinfo operation was named something else, set the same value as the last part of the userinfo_endpoint uri.

Example:

"userinfo_endpoint": "https://demo.phenixid.net/api/authentication/userinfo_t1?tenant=t1",

Use a HTTP rest client for testing and debugging. Follow the document OpenIDConnect UserInfo - integration guide for developers to structure the HTTP requests properly.