This article explains whether it is possible to configure an enterprise OpenID Connect (OIDC) connection to retrieve user profile information from the Identity Provider's (IdP) user information endpoint instead of the ID token.

• Enterprise OpenID Connect connection
• Custom Social OAuth 2.0 connection
• Fetch User Profile script

Within the scope of an enterprise OIDC connection this would not be possible currently, as there is no way to configure the connection to call /userinfo.

A workaround that could be implemented is to integrate the same provider through a custom social OAuth 2.0 connection (Connect Apps to Generic OAuth2 Authorization Servers) which would allow to return user profile information based on a request to the user information endpoint, however, there would be differences in terms of experience as the different connection types imply other considerations in terms of features.

A Fetch User Profile script could be implemented in the custom social connection to the IdP’s /userinfo API, and normalize the output, that can look something like this:

function(access_token, ctx, callback) {
  const request = require('request');
  const userinfoEndpoint = "https://auth.domain.com/openid/userinfo";
  request.get(userinfoEndpoint, {
    'headers': {
      'Authorization': 'Bearer ' + access_token
    }
  }, function(e, r, b) {
    if (e) {
      return callback(e);
    }
    if (r.statusCode !== 200) {
      return callback(new Error('StatusCode:' + r.statusCode));
    }
    const response = JSON.parse(b);
    const profile = {
    	"user_id": response.sub,
    	"email": response.email,
    	"name": response.name
    };
    callback(null, profile);
  });
}