Fetch User Claims from the OIDC UserInfo Endpoint
If an ID token does not contain all required claims, you can fetch additional user claims from an OIDC provider's UserInfo endpoint.
Because OIDC requires an access token to call the endpoint, The UserInfo endpoint requires the Authorization Code flow.
Claim precedence
When both ID tokens and UserInfo endpoint responses contain the same claims, the C3 AI Agentic AI Platform follows specific precedence rules to determine which source to use. The precedence varies by claim.
| Claim Type | Precedence | Explanation |
|---|---|---|
User ID (userId) | ID token takes precedence. The platform uses UserInfo as fallback. | User ID from ID token is more reliable and secure. The platform only uses UserInfo if ID token lacks this critical identifier. |
Profile fields (firstName, lastName, email, name) | Userinfo takes precedence when not empty. | UserInfo typically provides more complete profile information. |
| Groups | Userinfo takes precedence when not empty. | UserInfo often contains more comprehensive group and role assignments than ID tokens. |
Prerequisite
If you use an existing OidcIdpConfig, verify that userInfoEndPoint is set. If the config has been imported from a discovery URL, userInfoEndPoint is automatically set.
If it's not already set, run the following code in the C3 AI Console to set userInfoEndPoint:
OidcIdpConfig.forId(hostname).setConfigValue("userInfoEndPoint", "<https://your-idp.com/userinfo>", ConfigOverride.APP);This code fetches the OIDC IdP configuration, sets the UserInfo endpoint URL, and applies the setting at the application level.
Enable UserInfo fetching
In the C3 AI Console, run the following command to set fetchUserInfo to true on your OidcIdpConfig:
OidcIdpConfig.forId(hostname).setConfigValue("fetchUserInfo", true, ConfigOverride.APP);This code fetches the OIDC IdP configuration, enables UserInfo endpoint fetching, and applies the setting at the application level.
Configure custom claim names
If your Identity Provider (IdP) uses non-standard names, configure custom claim names. Run the following code in C3 AI Console:
var claimNames = Oidc.UserInfo.ClaimNames.make({
givenName: "<first_name>",
familyName: "<last_name>",
groups: "roles"
});
OidcIdpConfig.forId(hostname).setConfigValue("userInfoClaimNames", claimNames, ConfigOverride.APP);This code creates a custom claim mapping object, configures it with the IdP's non-standard claim names, and applies the setting at the application level.
Configure group delimeter
If the UserInfo endpoint returns groups as a delimited string instead of an array, configure the delimiter. Run the following code in C3 AI Console:
OidcIdpConfig.forId(hostname).setConfigValue("idpGroupClaimDelimiter", ",", ConfigOverride.APP);This code fetches the OIDC IdP configuration, sets the delimeter as ,, and applies the setting at the application level.
JWT response format
The UserInfo endpoint may return a signed JSON Web Token (JWT) instead of JSON. The C3 AI server automatically verifies the JWT signature with the IdP's public key.