ajmyyra
commented
5 years ago Yup, userinfo doesn't seem to be mandatory, only recommended. Thank you for pointing this out! I hadn't run across any software that wouldn't offer it, but as Dex is widely-used, supporting it is of course needed. I'll go through the PR and merge it soon.
I have discovered that there is some confusion around the userinfo_endpoint and whether it's mandatory or not. Dex, a big project around OIDC, doesn't seem to implement it yet and I have found references to the spec that characterize it as RECOMMENDED.
Because of the Dex use-case and also the fact that the userinfo endpoint doesn't seem to be mandatory, it makes sense to provide a flag to allow getting the claims from the id_token instead of the userinfo endpoint.
cc @ajmyyra