how to get authenticated user info after access token?

[bcfreitas]

User access the Application Client
The Application Client redirects user to Authorization Server (via user-agent/browser)
The user enter your credentials (username/password)
The Authorization Server confirms credentials and sends the AuthorizationCode (in case of Authorization Code Grant) or Access Token (in case of Implicit Grant) to the Redirect URI (in my case, custom Android Schema pointing to my app). ...
(other steps involving token exchange or access token use steps ommited)

How and when the Application Client gets any info about the user that provided their credentials (like user ID or name)??

I'm using OAuth API Secure Project (https://github.com/OAuth-Apis/apis) for my Authorization Server, and an Resource Server/API generated by Swagger code-gen.

Everything is fine with tokens requests and responses, and the Authorization Server is saving the Access Keys with info about the Authenticated Principals fine. Also have an endpoint for retrieve this info about principal: /tokenInfo, but this endpoint is for Resource Server use (need Resource Server credentials).

So my problem is only about Application Client to get user info.... I can make an endpoint in my api only to get the info about the user/principal, based on access token and /tokenInfo endpoint referred, and return to Application Client, but its strange.... I think there is a standard for that...

[gvanderploeg]

Also have an endpoint for retrieve this info about principal: /tokenInfo, but this endpoint is for Resource Server use (need Resource Server credentials).

That's correct. Clients only have an access token, and that's it. Strictly speaking, user information is 'out of scope' for OAuth, as OAuth is only about authorisation. Most providers where the authorisation server and resource server are close together (like Google, Github) they provide a resource server which answers '/me' requests that give profile information about the authenticated user. (for Google: https://developers.google.com/+/web/api/rest/latest/people/get)
And to authorise a client for such requests, an additional scope like 'profile' is added often.
So, that's an advantage of having the authorization server and user identities coupled/tied together.

As Apis is only an authorisation server and externalises the authentication / user identity, it does not provide such a feature.

I hope this helps.