diff --git a/README.md b/README.md
index f3a94ee50101c62e738b18c00d4810c74f9c7157..65a7474b3e8bafa5281ed4fd1ed033cc55b59547 100644
--- a/README.md
+++ b/README.md
@@ -7,4 +7,13 @@ OAuth2 server (urls defined in config) and -- apart from a session cookie --
 stateless. OAuth2 client id, secret and redirect URI are passed from the
 integrating NGINX to the proxy in HTTP headers.
 
+The following data about the authenticated user is returned by the `/auth`
+endpoint as HTTP headers:
+
+* `OAUTH-USER-ID`: (usually numeric) unique user id
+* `OAUTH-USER-NAME`: display name
+* `OAUTH-USER-NICKNAME`: unique user name (for urls, @-handles, ...)
+* `OAUTH-USER-EMAIL`: email address
+* `OAUTH-USER-GROUPS`: comma-separated list of group names
+
 See testapp for an example setup.
diff --git a/app.py b/app.py
index e40b829d3c1e711a5bdacdcb72ac3236c60826d8..04c09f119dc2eb35674d31e8e8e03ff113425675 100644
--- a/app.py
+++ b/app.py
@@ -45,9 +45,9 @@ def create_app(test_config=None):
 			client_secret=request.headers['X-CLIENT-SECRET'],
 			authorization_response=request.url, verify=(not app.debug))
 		userinfo = client.get(app.config['OAUTH2_USERINFO_URL']).json()
-		session['user_id'] = userinfo['id'] # (usually numeric) unique user id
-		session['user_name'] = userinfo['name'] # display name
-		session['user_nickname'] = userinfo['nickname'] # unique user name (for urls, @-handles, ...)
+		session['user_id'] = userinfo['id']
+		session['user_name'] = userinfo['name']
+		session['user_nickname'] = userinfo['nickname']
 		session['user_email'] = userinfo['email']
 		session['user_groups'] = userinfo['groups']
 		return redirect(session.pop('url'))