diff --git a/app/controllers/oauth/userinfo_controller.rb b/app/controllers/oauth/userinfo_controller.rb
new file mode 100644
index 0000000000..e268b70dcc
--- /dev/null
+++ b/app/controllers/oauth/userinfo_controller.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class Oauth::UserinfoController < Api::BaseController
+  before_action -> { doorkeeper_authorize! :profile }, only: [:show]
+  before_action :require_user!
+
+  def show
+    @account = current_account
+    render json: @account, serializer: OauthUserinfoSerializer
+  end
+end
diff --git a/app/presenters/oauth_metadata_presenter.rb b/app/presenters/oauth_metadata_presenter.rb
index 1e4d25165c..7d75e8498a 100644
--- a/app/presenters/oauth_metadata_presenter.rb
+++ b/app/presenters/oauth_metadata_presenter.rb
@@ -26,6 +26,10 @@ class OauthMetadataPresenter < ActiveModelSerializers::Model
     oauth_token_url
   end
 
+  def userinfo_endpoint
+    oauth_userinfo_url
+  end
+
   # As the api_v1_apps route doesn't technically conform to the specification
   # for OAuth 2.0 Dynamic Client Registration defined in RFC 7591 we use a
   # non-standard property for now to indicate the mastodon specific registration
diff --git a/app/serializers/oauth_metadata_serializer.rb b/app/serializers/oauth_metadata_serializer.rb
index 2afb4208fb..9c5f7365a4 100644
--- a/app/serializers/oauth_metadata_serializer.rb
+++ b/app/serializers/oauth_metadata_serializer.rb
@@ -2,7 +2,7 @@
 
 class OauthMetadataSerializer < ActiveModel::Serializer
   attributes :issuer, :authorization_endpoint, :token_endpoint,
-             :revocation_endpoint, :scopes_supported,
+             :revocation_endpoint, :userinfo_endpoint, :scopes_supported,
              :response_types_supported, :response_modes_supported,
              :grant_types_supported, :token_endpoint_auth_methods_supported,
              :code_challenge_methods_supported,
diff --git a/app/serializers/oauth_userinfo_serializer.rb b/app/serializers/oauth_userinfo_serializer.rb
new file mode 100644
index 0000000000..e2f37ae02e
--- /dev/null
+++ b/app/serializers/oauth_userinfo_serializer.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+class OauthUserinfoSerializer < ActiveModel::Serializer
+  include RoutingHelper
+
+  attributes :iss, :sub, :name, :preferred_username, :profile, :picture
+
+  def iss
+    root_url
+  end
+
+  def sub
+    ActivityPub::TagManager.instance.uri_for(object)
+  end
+
+  def name
+    object.display_name
+  end
+
+  def preferred_username
+    object.username
+  end
+
+  def profile
+    ActivityPub::TagManager.instance.url_for(object)
+  end
+
+  def picture
+    full_asset_url(object.avatar_original_url)
+  end
+end
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
index c530693a3f..476f1fb07a 100644
--- a/config/initializers/cors.rb
+++ b/config/initializers/cors.rb
@@ -23,6 +23,7 @@ Rails.application.config.middleware.insert_before 0, Rack::Cors do
                methods: %i(post put delete get patch options)
       resource '/oauth/token', methods: [:post]
       resource '/oauth/revoke', methods: [:post]
+      resource '/oauth/userinfo', methods: [:get, :post]
     end
   end
 end
diff --git a/config/routes.rb b/config/routes.rb
index 83170fba0f..0f4df757da 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -64,6 +64,13 @@ Rails.application.routes.draw do
                 tokens: 'oauth/tokens'
   end
 
+  namespace :oauth do
+    # As this is borrowed from OpenID, the specification says we must also support
+    # POST for the userinfo endpoint:
+    # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+    match 'userinfo', via: [:get, :post], to: 'userinfo#show', defaults: { format: 'json' }
+  end
+
   scope path: '.well-known' do
     scope module: :well_known do
       get 'oauth-authorization-server', to: 'oauth_metadata#show', as: :oauth_metadata, defaults: { format: 'json' }
diff --git a/spec/requests/oauth/userinfo_spec.rb b/spec/requests/oauth/userinfo_spec.rb
new file mode 100644
index 0000000000..7d6226cd41
--- /dev/null
+++ b/spec/requests/oauth/userinfo_spec.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Oauth Userinfo Endpoint' do
+  include RoutingHelper
+
+  let(:user)     { Fabricate(:user) }
+  let(:account)  { user.account }
+  let(:token)    { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
+  let(:scopes)   { 'profile' }
+  let(:headers)  { { 'Authorization' => "Bearer #{token.token}" } }
+
+  shared_examples 'returns successfully' do
+    it 'returns http success' do
+      subject
+
+      expect(response).to have_http_status(:success)
+      expect(response.content_type).to start_with('application/json')
+      expect(response.parsed_body).to include({
+        iss: root_url,
+        sub: account_url(account),
+        name: account.display_name,
+        preferred_username: account.username,
+        profile: short_account_url(account),
+        picture: full_asset_url(account.avatar_original_url),
+      })
+    end
+  end
+
+  describe 'GET /oauth/userinfo' do
+    subject do
+      get '/oauth/userinfo', headers: headers
+    end
+
+    it_behaves_like 'forbidden for wrong scope', 'read:accounts'
+    it_behaves_like 'returns successfully'
+  end
+
+  # As this is borrowed from OpenID, the specification says we must also support
+  # POST for the userinfo endpoint:
+  # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+  describe 'POST /oauth/userinfo' do
+    subject do
+      post '/oauth/userinfo', headers: headers
+    end
+
+    it_behaves_like 'forbidden for wrong scope', 'read:accounts'
+    it_behaves_like 'returns successfully'
+  end
+end
diff --git a/spec/requests/well_known/oauth_metadata_spec.rb b/spec/requests/well_known/oauth_metadata_spec.rb
index 9c86dbedfe..01e9146fde 100644
--- a/spec/requests/well_known/oauth_metadata_spec.rb
+++ b/spec/requests/well_known/oauth_metadata_spec.rb
@@ -3,12 +3,6 @@
 require 'rails_helper'
 
 RSpec.describe 'The /.well-known/oauth-authorization-server request' do
-  let(:protocol) { ENV.fetch('LOCAL_HTTPS', true) ? :https : :http }
-
-  before do
-    host! Rails.configuration.x.local_domain
-  end
-
   it 'returns http success with valid JSON response' do
     get '/.well-known/oauth-authorization-server'
 
@@ -22,11 +16,12 @@ RSpec.describe 'The /.well-known/oauth-authorization-server request' do
     grant_types_supported << 'refresh_token' if Doorkeeper.configuration.refresh_token_enabled?
 
     expect(response.parsed_body).to include(
-      issuer: root_url(protocol: protocol),
+      issuer: root_url,
       service_documentation: 'https://docs.joinmastodon.org/',
-      authorization_endpoint: oauth_authorization_url(protocol: protocol),
-      token_endpoint: oauth_token_url(protocol: protocol),
-      revocation_endpoint: oauth_revoke_url(protocol: protocol),
+      authorization_endpoint: oauth_authorization_url,
+      token_endpoint: oauth_token_url,
+      userinfo_endpoint: oauth_userinfo_url,
+      revocation_endpoint: oauth_revoke_url,
       scopes_supported: Doorkeeper.configuration.scopes.map(&:to_s),
       response_types_supported: Doorkeeper.configuration.authorization_response_types,
       response_modes_supported: Doorkeeper.configuration.authorization_response_flows.flat_map(&:response_mode_matches).uniq,
@@ -34,7 +29,7 @@ RSpec.describe 'The /.well-known/oauth-authorization-server request' do
       grant_types_supported: grant_types_supported,
       code_challenge_methods_supported: ['S256'],
       # non-standard extension:
-      app_registration_endpoint: api_v1_apps_url(protocol: protocol)
+      app_registration_endpoint: api_v1_apps_url
     )
   end
 end