Overview#

OpenID Connect Discovery is defined in the OpenID Connect Discovery Mechanism 1.0 incorporating errata set 1 Specification.

The OpenID Connect Discovery specification defines a Discovery Mechanism for an OpenID Connect Relying Party to discover the Resource Owner's Identity Provider (IDP) and obtain information needed to interact with the Identity Provider (IDP), including its OAuth 2.0 Endpoint locations.

OpenID Connect Discovery consists of two primary Discovery Mechanisms:

OpenID Connect Discovery is defined in the OpenID Connect Discovery Mechanism 1.0 incorporating errata set 1 Specification.

All OpenID Connect servers are uniquely identified by a URL known as the issuer. This URL serves as the prefix of a service discovery endpoint as specified in the OpenID Connect Discovery standard [9]. The discovery document MUST contain at minimum the following fields:

The following example shows the JSON document found at a discovery endpoint for an authorization server:

{
  "request_parameter_supported": true,
  "id_token_encryption_alg_values_supported": [
    "RSA-OAEP", "RSA1_5", "RSA-OAEP-256"
  ],
  "registration_endpoint": "https://idp-p.mitre.org/register",
  "userinfo_signing_alg_values_supported": [
    "HS256", "HS384", "HS512", "RS256", "RS384", "RS512"
  ],
  "token_endpoint": "https://idp-p.mitre.org/token",
  "request_uri_parameter_supported": false,
  "request_object_encryption_enc_values_supported": [
    "A192CBC-HS384", "A192GCM", "A256CBC+HS512",
    "A128CBC+HS256", "A256CBC-HS512",
    "A128CBC-HS256", "A128GCM", "A256GCM"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt",
    "none"
  ],
  "userinfo_encryption_alg_values_supported": [
    "RSA-OAEP", "RSA1_5",
    "RSA-OAEP-256"
  ],
  "subject_types_supported": [
    "public", "pairwise"
  ],
  "id_token_encryption_enc_values_supported": [
    "A192CBC-HS384", "A192GCM", "A256CBC+HS512",
    "A128CBC+HS256", "A256CBC-HS512", "A128CBC-HS256",
    "A128GCM", "A256GCM"
  ],
  "claims_parameter_supported": false,
  "jwks_uri": "https://idp-p.mitre.org/jwk",
  "id_token_signing_alg_values_supported": [
    "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "none"
  ],
  "authorization_endpoint": "https://idp-p.mitre.org/authorize",
  "require_request_uri_registration": false,
  "introspection_endpoint": "https://idp-p.mitre.org/introspect",
  "request_object_encryption_alg_values_supported": [
    "RSA-OAEP", ?RSA1_5", "RSA-OAEP-256"
  ],
  "service_documentation": "https://idp-p.mitre.org/about",
  "response_types_supported": [
    "code", "token"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "HS256", "HS384", "HS512", "RS256", "RS384", "RS512"
  ],
  "revocation_endpoint": "https://idp-p.mitre.org/revoke",
  "request_object_signing_alg_values_supported": [
    "HS256", "HS384", "HS512", "RS256", "RS384", "RS512"
  ],
  "claim_types_supported": [
    "normal"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "urn:ietf:params:oauth:grant-type:jwt-bearer",
    "client_credentials",
    "urn:ietf:params:oauth:grant_type:redelegate"
  ],
  "scopes_supported": [
    "profile", "openid", "email", "address", "phone", "offline_access"
  ],
  "userinfo_endpoint": "https://idp-p.mitre.org/userinfo",
  "userinfo_encryption_enc_values_supported": [
    "A192CBC-HS384", "A192GCM", "A256CBC+HS512","A128CBC+HS256",
    "A256CBC-HS512", "A128CBC-HS256", "A128GCM", "A256GCM"
  ],
  "op_tos_uri": "https://idp-p.mitre.org/about",
  "issuer": "https://idp-p.mitre.org/",
  "op_policy_uri": "https://idp-p.mitre.org/about",
  "claims_supported": [
    "sub", "name", "preferred_username", "given_name", "family_name",
    "middle_name", "nickname", "profile", "picture", "website",
    "gender", "zone_info", "locale", "updated_time", "birthdate",
    "email", "email_verified", "phone_number", "address"
  ]
}

Clients and protected resources SHOULD cache this discovery information. It is RECOMMENDED that servers provide cache information through HTTP headers and make the cache valid for at least one week.

The server MUST provide its public key in JSON Web Key Set format, such as the following 2048-bit RSA key:

{
  "keys": [
    {
      "alg": "RS256",
      "e": "AQAB",
      "n": "o80vbR0ZfMhjZWfqwPUGNkcIeUcweFyzB2S2T-hje83IOVct8gVg9FxvHPK1ReEW3-p7-A8GNcLAuFP_8jPhiL6LyJC3F10aV9KPQFF-w6Eq6VtpEgYSfzvFegNiPtpMWd7C43EDwjQ-GrXMVCLrBYxZC-P1ShyxVBOzeR_5MTC0JGiDTecr_2YT6o_3aE2SIJu4iNPgGh9MnyxdBo0Uf0TmrqEIabquXA1-V8iUihwfI8qjf3EujkYi7gXXelIo4_gipQYNjr4DBNlE0__RI0kDU-27mb6esswnP2WgHZQPsk779fTcNDBIcYgyLujlcUATEqfCaPDNp00J6AbY6w",
      "kty": "RSA",
      "kid": "rsa1"
    }
  ]
}

Clients and protected resources SHOULD cache this key. It is RECOMMENDED that servers provide cache information through HTTP headers and make the cache valid for at least one week.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-17) was last changed on 06-Nov-2017 14:15 by jim