I've managed to get PKCE authentication working for SSO into our app with OneLogin as the identity provider - however I cannot see where or how we would retrieve the username of the logged in user.
I've found there are API ways of getting this but that seems to require another access token to authenticate into the API, which seems a bit daft - isn't there a way of getting the users's email address without having to re-authenticate ?
So I'm logging in with these restful calls:
https://domain/oidc/2/auth?client_id=xxx&redirect_uri=<redirect uri>&response_type=code&scope=openid
then
https://domain/oidc/2/token?...
"grant_type", "authorization_code",
"code", code,
"client_id", client_id,
"redirect_uri", redir,
"code_verifier", pkce_code_verifier
So that works great, but now for step 3 I need the users email address to identify them - how do I get that ?
In OKTA we make an additional call to
https://domain/oauth2/default/v1/userinfo
And that seems to work with the token as a bearer authorization header. The same idea doesn't work in onelogin.
thanks
The answer was to use this URL with the token as a bearer
https://domain/oidc/2/me
Then the json returned includes the "email" attribute containing the email address of the logged in user.