Passing extra data for "userinfo" endpoint, but not visible in ID Token, or Access Token



I want to pass extra data about user which will be available through “userinfo” endpoint

At this time I am able to do it during consent flow using “session” and “id_token”/“access_token” parameters, but problem is that passed data is visible in ID Token and can be decoded in public

Question is how to pass data to “userinfo” without adding it to ID Token?


There is no difference in confidentiality between an ID Token and an Access Token and the /userinfo endpoint. If you have access to the ID Token, you also have access to the Access Token and thus to the /userinfo endpoint.

Right now, there is no way to add data to the userinfo endpoint without adding it to the ID Token. Could you give an example why you’d want data in the userinfo endpoint but not the ID Token?