Overview#

Openid-configuration is a Well-known URI Discovery Mechanism for the Provider Configuration URI and is defined in OpenID Connect.

Openid-configuration is a URI defined within OpenID Connect which provides configuration information about the Identity Provider (IDP).

Openid-configuration is the OpenID Connect Provider's discovery document. The discovery document describes the provider's API endpoints used during the authentication sequence. Specifying this URL connects the authenticator to a particular OpenID Connect provider. For Example, for Google (including Google Apps), the discovery document URL

The Openid-configuration publishes a JSON object listing the Provider's OAuth 2.0 / OpenID Connect Endpoints as well as the supported grants, response types, authentication methods and security algorithms. These details are needed by clients and application developers to construct requests to the server.

The members of this JSON object, called OpenID Connect provider metadata, are described in section 3 of the OpenID Connect Discovery 1.0 specification. OpenID Connect providers publish their metadata at a well-known URI which looks like this:

https://[base-server-url]/.well-known/openid-configuration

OpenID Connect provider metadata [1]#

OpenID provider metadata, as specified in OpenID Connect Discovery 1.0, section 3.

The Openid-configuration response is a set of Claims about the OpenID Provider's configuration, including all necessary endpoints and public key location information.

A successful response MUST use the 200 OK HTTP Status Code and return a JSON object using the application/json content type that contains a set of Claims as its members that are a subset of the Metadata values.

  • Claims that return multiple values are represented as JSON arrays.
  • Claims with zero elements MUST be omitted from the response.
  • An error response uses the applicable HTTP status code value.

Additional OpenID Provider Metadata parameters MAY also be used. Some are defined by other specifications, such as OpenID Connect Session Management 1.0.

JSON object members:

ValueTYPERequired?Description
issuer{string}REQUIREDURL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported, this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
authorization_endpoint{string}REQUIREDThe OAuth 2.0 authorisation endpoint URL.
token_endpoint{string}OPTIONALThe OAuth 2.0 Token_endpoint URL. This is REQUIRED unless only the Implicit Flow is used.
userinfo_endpoint{string}RECOMMENDEDThe OpenID Connect UserInfo endpoint URL.
jwks_uri{string}REQUIREDThe public server JWK set URL.
registration_endpoint{string}RECOMMENDEDThe OAuth 2.0 / OpenID Connect URL of the OP's Dynamic Client Registration Endpoint OpenID.Registration.
scopes_supported{string array}RECOMMENDEDList of the supported OAuth Scope values. Certain values may be omitted for privacy reasons.
response_types_supported{string array}REQUIREDList of the supported OAuth 2.0 response_type values.
response_modes_supported{string array}OPTIONALList of the supported OAuth 2.0 response_mode values.
grant_types_supported{string array}OPTIONALList of the supported OAuth 2.0 Grant Types.
acr_values_supported{string array}OPTIONALList of the supported Authentication Context Class References.
subject_types_supported{string array}REQUIREDList of the supported subject (end-user) identifier types.
id_token_signing_alg_values_supported{string array}REQUIREDList of the supported JSON Web Signature algorithms for securing the issued ID tokens.
id_token_encryption_alg_values_supported{string array}OPTIONALList of the supported JSON Web Encryption algorithms for securing the issued ID tokens, omitted or empty if none.
id_token_encryption_enc_values_supported{string array}OPTIONALList of the supported JSON Web Encryption encryption methods for securing the issued Identity Tokens, omitted or empty if none.
userinfo_signing_alg_values_supported{string array}OPTIONAL - List of the supported JSON Web Signature algorithms for securing the claims returned at the UserInfo endpoint.
userinfo_encryption_alg_values_supported{string array}OPTIONAL List of the supported JSON Web Encryption encryption algorithms for securing the claims returned at the UserInfo endpoint, omitted or empty if none.
userinfo_encryption_enc_values_supported{string array}OPTIONAL List of the supported JSON Web Encryption encryption methods for securing the claims returned at the UserInfo endpoint, omitted or empty if none.
request_object_signing_alg_values_supported{string array}OPTIONAL List of the supported JSON Web Signature algorithms for securing OpenID Connect request objects.
request_object_encryption_alg_values_supported{string array}OPTIONAL List of the supported JSON Web Encryption encryption algorithms for securing OpenID Connect request objects, omitted or empty if none.
request_object_encryption_enc_values_supported{string array}OPTIONAL List of the supported JSON Web Encryption encryption methods for securing OpenID Connect request objects, omitted or empty if none.
token_endpoint_auth_methods_supported{string array}OPTIONAL List of the supported client authentication methods at the OAuth 2.0 Token_endpoint
token_endpoint_auth_signing_alg_values_supported {string array}OPTIONAL List of the supported JSON Web Signature algorithms for JSON Web Token-based client authentication at the OAuth 2.0 token endpoint, omitted or empty if none.
display_values_supported{string array}OPTIONAL List of the supported display parameters.
claim_types_supported{string array}OPTIONAL List of the supported OpenID Connect claim types.
claims_supported{string array}RECOMMENDED List of the supported OpenID Connect claims. Certain values may be omitted for privacy reasons.
service_documentation{string array}OPTIONAL The service documentation URL.
claims_locales_supported{string array}OPTIONAL List of the supported OpenID Connect claims locales, omitted or empty if none.
ui_locales_supported{string array}OPTIONAL List of the supported UI locales, omitted or empty if none.
claims_parameter_supported{true|false}OPTIONAL Specifies whether the claims request parameter is supported.
request_parameter_supported{true|false}OPTIONAL Specifies whether the request parameter is supported.
request_uri_parameter_supported{true|false}OPTIONAL Specifies whether the request_uri parameter is supported.
require_request_uri_registration{true|false}OPTIONAL Specifies whether request URIs must be registered for a client.
op_policy_uri{string}OPTIONAL The privacy policy document URL, omitted if none.
op_tos_uri{string}OPTIONAL The terms of service document URL, omitted if none.

Real-Life Examples#

The following is a non-normative example response:

 HTTP/1.1 200 OK
  Content-Type: application/json

  {
   "issuer":
     "https://server.example.com",
   "authorization_endpoint":
     "https://server.example.com/connect/authorize",
   "token_endpoint":
     "https://server.example.com/connect/token",
   "token_endpoint_auth_methods_supported":
     ["client_secret_basic", "private_key_jwt"],
   "token_endpoint_auth_signing_alg_values_supported":
     ["RS256", "ES256"],
   "userinfo_endpoint":
     "https://server.example.com/connect/userinfo",
   "check_session_iframe":
     "https://server.example.com/connect/check_session",
   "end_session_endpoint":
     "https://server.example.com/connect/end_session",
   "jwks_uri":
     "https://server.example.com/jwks.json",
   "registration_endpoint":
     "https://server.example.com/connect/register",
   "scopes_supported":
     ["openid", "profile", "email", "address",
      "phone", "offline_access"],
   "response_types_supported":
     ["code", "code id_token", "id_token", "token id_token"],
   "acr_values_supported":
     ["urn:mace:incommon:iap:silver",
      "urn:mace:incommon:iap:bronze"],
   "subject_types_supported":
     ["public", "pairwise"],
   "userinfo_signing_alg_values_supported":
     ["RS256", "ES256", "HS256"],
   "userinfo_encryption_alg_values_supported":
     ["RSA1_5", "A128KW"],
   "userinfo_encryption_enc_values_supported":
     ["A128CBC-HS256", "A128GCM"],
   "id_token_signing_alg_values_supported":
     ["RS256", "ES256", "HS256"],
   "id_token_encryption_alg_values_supported":
     ["RSA1_5", "A128KW"],
   "id_token_encryption_enc_values_supported":
     ["A128CBC-HS256", "A128GCM"],
   "request_object_signing_alg_values_supported":
     ["none", "RS256", "ES256"],
   "display_values_supported":
     ["page", "popup"],
   "claim_types_supported":
     ["normal", "distributed"],
   "claims_supported":
     ["sub", "iss", "auth_time", "acr",
      "name", "given_name", "family_name", "nickname",
      "profile", "picture", "website",
      "email", "email_verified", "locale", "zoneinfo",
      "http://example.info/claims/groups"],
   "claims_parameter_supported":
     true,
   "service_documentation":
     "http://server.example.com/connect/service_documentation.html",
   "ui_locales_supported":
     ["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
  }

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-34) was last changed on 09-Jun-2017 10:11 by jim