!!! Overview
[{$pagename}] is a [Well-known] [URI] [Discovery Mechanism] for the [Provider Configuration URI] and is defined in [OpenID Connect].
[{$pagename}] is a [URI] defined within [OpenID Connect] which provides configuration information about the [Identity Provider (IDP)].
[{$pagename}] is the [OpenID Connect Provider|Identity Provider (IDP)]'s discovery document. The discovery document describes the provider's [API] [endpoints] used during the authentication sequence. Specifying this [URL] connects the [authenticator] to a particular [OpenID Connect Provider]. For [Example], for [Google (including Google Apps), the discovery document URL|https://accounts.google.com/.well-known/openid-configuration|target='_blank']
The [{$pagename}] publishes a [JSON] object listing the Provider's [OAuth 2.0] / [OpenID Connect] [Endpoints] as well as the supported grants, response types, authentication methods and security algorithms. These details are needed by clients and application developers to construct requests to the server.
The members of this [JSON] object, called [OpenID Connect] provider metadata, are described in section 3 of the [OpenID Connect Discovery] 1.0 specification. [OpenID Connect] providers publish their [metadata] at a [Well-Known URI] which looks like this:
%%prettify
{{{
https://[base-server-url]/.well-known/openid-configuration
}}}
/%
!! [OAuth 2.0 Authorization Server Metadata]
[OAuth 2.0 Authorization Server Metadata] is used to signal the [Authorization Server]'s support for various confiurations.
!! [OpenID Connect Provider Metadata|Openid-configuration] [1]
OpenID provider metadata, as specified in [OpenID Connect Discovery] 1.0, section 3.
The [{$pagename}] response is a set of Claims about the [OpenID Provider|Identity Provider (IDP)]'s configuration, including all necessary endpoints and public key location information.
A successful response [MUST] use the [HTTP 200] OK [HTTP Status Code] and return a [JSON] object using the application/json content type that contains a set of [Claims] as its members that are a subset of the [Metadata] values.
* Claims that return multiple values are represented as [JSONArrays].
* Claims with zero elements [MUST] be omitted from the response.
* An error response uses the applicable HTTP status code value.
Additional OpenID Provider Metadata parameters [MAY] also be used. Some are defined by other specifications, such as [OpenID Connect Session Management] 1.0.
All [OpenID Connect] servers are uniquely identified by a [URL] known as the [issuer]. This [URL] serves as the prefix of a service [discovery|Discovery Mechanism] [endpoint] as specified in the [OpenID Connect Discovery] standard.
The discovery document [MUST] contain at minimum the following fields:
* [issuer] - The fully qualified [issuer] [URL] of the [server]
* [authorization_endpoint] - The fully qualified [URL] of the server’s authorization endpoint defined by [RFC 6749]
* [jwks_uri] - The fully qualified [URI] of the server’s public key in [JSON Web Key] Set (JWKS) format
* [response_types_supported] ([OpenID Connect Discovery])
* [subject_types_supported] ([OpenID Connect Discovery])
* [id_token_signing_alg_values_supported] ([OpenID Connect Discovery])
* [token_endpoint] - The fully qualified URL of the server’s token endpoint defined by [RFC 6749]
* [introspection_endpoint] - The fully qualified URL of the server’s [introspection_endpoint] defined by [OAuth 2.0 Token Introspection]
* [revocation_endpoint] - The fully qualified URL of the server’s revocation endpoint defined by [OAuth 2.0 Authorization Server Metadata] (and sort of in [OAuth 2.0 Token Revocation])
The following example shows the JSON document found at a discovery endpoint for an authorization server:
%%prettify
{{{
{
"request_parameter_supported": true,
"id_token_encryption_alg_values_supported": [
"RSA-OAEP", "RSA1_5", "RSA-OAEP-256"
],
"registration_endpoint": "https://idp-p.mitre.org/register",
"userinfo_signing_alg_values_supported": [
"HS256", "HS384", "HS512", "RS256", "RS384", "RS512"
],
"token_endpoint": "https://idp-p.mitre.org/token",
"request_uri_parameter_supported": false,
"request_object_encryption_enc_values_supported": [
"A192CBC-HS384", "A192GCM", "A256CBC+HS512",
"A128CBC+HS256", "A256CBC-HS512",
"A128CBC-HS256", "A128GCM", "A256GCM"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
"none"
],
"userinfo_encryption_alg_values_supported": [
"RSA-OAEP", "RSA1_5",
"RSA-OAEP-256"
],
"subject_types_supported": [
"public", "pairwise"
],
"id_token_encryption_enc_values_supported": [
"A192CBC-HS384", "A192GCM", "A256CBC+HS512",
"A128CBC+HS256", "A256CBC-HS512", "A128CBC-HS256",
"A128GCM", "A256GCM"
],
"claims_parameter_supported": false,
"jwks_uri": "https://idp-p.mitre.org/jwk",
"id_token_signing_alg_values_supported": [
"HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "none"
],
"authorization_endpoint": "https://idp-p.mitre.org/authorize",
"require_request_uri_registration": false,
"introspection_endpoint": "https://idp-p.mitre.org/introspect",
"request_object_encryption_alg_values_supported": [
"RSA-OAEP", ?RSA1_5", "RSA-OAEP-256"
],
"service_documentation": "https://idp-p.mitre.org/about",
"response_types_supported": [
"code", "token"
],
"token_endpoint_auth_signing_alg_values_supported": [
"HS256", "HS384", "HS512", "RS256", "RS384", "RS512"
],
"revocation_endpoint": "https://idp-p.mitre.org/revoke",
"request_object_signing_alg_values_supported": [
"HS256", "HS384", "HS512", "RS256", "RS384", "RS512"
],
"claim_types_supported": [
"normal"
],
"grant_types_supported": [
"authorization_code",
"implicit",
"urn:ietf:params:oauth:grant-type:jwt-bearer",
"client_credentials",
"urn:ietf:params:oauth:grant_type:redelegate"
],
"scopes_supported": [
"profile", "openid", "email", "address", "phone", "offline_access"
],
"userinfo_endpoint": "https://idp-p.mitre.org/userinfo",
"userinfo_encryption_enc_values_supported": [
"A192CBC-HS384", "A192GCM", "A256CBC+HS512","A128CBC+HS256",
"A256CBC-HS512", "A128CBC-HS256", "A128GCM", "A256GCM"
],
"op_tos_uri": "https://idp-p.mitre.org/about",
"issuer": "https://idp-p.mitre.org/",
"op_policy_uri": "https://idp-p.mitre.org/about",
"claims_supported": [
"sub", "name", "preferred_username", "given_name", "family_name",
"middle_name", "nickname", "profile", "picture", "website",
"gender", "zone_info", "locale", "updated_time", "birthdate",
"email", "email_verified", "phone_number", "address"
]
}
}}} /%
Clients and [Resource Servers] [SHOULD] [cache] this discovery information. It is [RECOMMENDED] that servers provide [cache] information through [HTTP Header Fields] and make the cache valid for at least one week.
The server [MUST] provide its [Public Key] in [JSON Web Key] Set format, such as the following 2048-bit RSA key:
%%prettify
{{{
{
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"n": "o80vbR0ZfMhjZWfqwPUGNkcIeUcweFyzB2S2T-hje83IOVct8gVg9FxvHPK1ReEW3-p7-A8GNcLAuFP_8jPhiL6LyJC3F10aV9KPQFF-w6Eq6VtpEgYSfzvFegNiPtpMWd7C43EDwjQ-GrXMVCLrBYxZC-P1ShyxVBOzeR_5MTC0JGiDTecr_2YT6o_3aE2SIJu4iNPgGh9MnyxdBo0Uf0TmrqEIabquXA1-V8iUihwfI8qjf3EujkYi7gXXelIo4_gipQYNjr4DBNlE0__RI0kDU-27mb6esswnP2WgHZQPsk779fTcNDBIcYgyLujlcUATEqfCaPDNp00J6AbY6w",
"kty": "RSA",
"kid": "rsa1"
}
]
}
}}} /%
[JSON Object] members:
%%zebra-table
%%sortable
%%table-filter
||Value||TYPE||Required?||Description
|[issuer]|{string}|__REQUIRED__|URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported, this value __MUST__ be identical to the issuer value returned by [WebFinger]. This also __MUST__ be identical to the iss Claim value in ID Tokens issued from this Issuer.
|[authorization_endpoint]|{string}|__REQUIRED__|The [OAuth 2.0] authorisation endpoint URL.
|[token_endpoint]|{string}|__OPTIONAL__|The [OAuth 2.0] [Token_endpoint] URL. This is __REQUIRED__ unless only the [Implicit Flow] is used.
|[userinfo_endpoint]|{string}|__RECOMMENDED__|The [OpenID Connect] UserInfo endpoint URL.
|[jwks_uri]|{string}|__REQUIRED__|The public server JWK set URL.
|[registration_endpoint]|{string}|__RECOMMENDED__|The [OAuth 2.0] / [OpenID Connect] URL of the OP's Dynamic Client Registration Endpoint [OpenID.Registration].
|[scopes_supported]|{string array}|__RECOMMENDED__|List of the supported [OAuth Scope] values. Certain values may be omitted for privacy reasons.
|[response_types_supported]|{string array}|__REQUIRED__|List of the supported [OAuth 2.0] response_type values.
|[response_modes_supported]|{string array}|__OPTIONAL__|List of the supported [OAuth 2.0] response_mode values.
|[grant_types_supported]|{string array}|__OPTIONAL__|List of the supported [OAuth 2.0] [Grant Types].
|[acr_values_supported]|{string array}|__OPTIONAL__|List of the supported Authentication Context Class References.
|[subject_types_supported]|{string array}|__REQUIRED__|List of the supported subject (end-user) identifier types.
|[id_token_signing_alg_values_supported]|{string array}|__REQUIRED__|List of the supported [JSON Web Signature] algorithms for securing the issued ID tokens.
|[id_token_encryption_alg_values_supported]|{string array}|__OPTIONAL__|List of the supported [JSON Web Encryption] algorithms for securing the issued ID tokens, omitted or empty if none.
|[id_token_encryption_enc_values_supported]|{string array}|__OPTIONAL__|List of the supported [JSON Web Encryption] encryption methods for securing the issued [Identity Tokens], omitted or empty if none.
|[userinfo_signing_alg_values_supported]|{string array}|__OPTIONAL__| - List of the supported [JSON Web Signature] algorithms for securing the claims returned at the UserInfo endpoint.
|[userinfo_encryption_alg_values_supported]|{string array}|__OPTIONAL__| List of the supported [JSON Web Encryption] encryption algorithms for securing the claims returned at the UserInfo endpoint, omitted or empty if none.
|[userinfo_encryption_enc_values_supported]|{string array}|__OPTIONAL__| List of the supported [JSON Web Encryption] encryption methods for securing the claims returned at the UserInfo endpoint, omitted or empty if none.
|[request_object_signing_alg_values_supported]|{string array}|__OPTIONAL__| List of the supported [JSON Web Signature] algorithms for securing [OpenID Connect] request objects.
|[request_object_encryption_alg_values_supported]|{string array}|__OPTIONAL__| List of the supported [JSON Web Encryption] encryption algorithms for securing [OpenID Connect] request objects, omitted or empty if none.
|[request_object_encryption_enc_values_supported]|{string array}|__OPTIONAL__| List of the supported [JSON Web Encryption] encryption methods for securing [OpenID Connect] request objects, omitted or empty if none.
|[token_endpoint_auth_methods_supported]|{string array}|__OPTIONAL__| List of the supported client authentication methods at the [OAuth 2.0] [Token_endpoint]
|[token_endpoint_auth_signing_alg_values_supported ]|{string array}|__OPTIONAL__| List of the supported [JSON Web Signature] algorithms for [JSON Web Token]-based client authentication at the OAuth 2.0 token endpoint, omitted or empty if none.
|[display_values_supported]|{string array}|__OPTIONAL__| List of the supported display parameters.
|[claim_types_supported]|{string array}|__OPTIONAL__| List of the supported OpenID Connect claim types.
|[claims_supported]|{string array}|__RECOMMENDED__| List of the supported OpenID Connect claims. Certain values may be omitted for privacy reasons.
|[service_documentation]|{string array}|__OPTIONAL__| The service documentation URL.
|[claims_locales_supported]|{string array}|__OPTIONAL__| List of the supported OpenID Connect claims locales, omitted or empty if none.
|[ui_locales_supported]|{string array}|__OPTIONAL__| List of the supported UI locales, omitted or empty if none.
|[claims_parameter_supported]|{{{{true|false}}}}|__OPTIONAL__| Specifies whether the claims request parameter is supported.
|[request_parameter_supported]|{{{{true|false}}}}|__OPTIONAL__| Specifies whether the request parameter is supported.
|[request_uri_parameter_supported]|{{{{true|false}}}}|__OPTIONAL__| Specifies whether the request_uri parameter is supported.
|[require_request_uri_registration]|{{{{true|false}}}}|__OPTIONAL__| Specifies whether request URIs must be registered for a client.
|[op_policy_uri]|{string}|__OPTIONAL__| The privacy policy document URL, omitted if none.
|[op_tos_uri]|{string}|__OPTIONAL__| The terms of service document URL, omitted if none.
|[check_session_iframe]|{string}|__OPTIONAL__|[REQUIRED] __IF__ [OpenID Connect Provider] supports [OpenID Connect Session Management]
|[end_session_endpoint]|{string}|__OPTIONAL__|[REQUIRED] __IF__ [OpenID Connect Provider] supports [OpenID Connect Session Management] and is a [URL] at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.
|[frontchannel_logout_supported]|{string}|__OPTIONAL__|a [Boolean] value specifying whether the [OpenID Connect Provider] supports HTTP-based logout, with [true] indicating support. If omitted, the default value is [False].
|[frontchannel_logout_session_supported]|{string}|__OPTIONAL__|[Boolean] value specifying whether the [OpenID Connect Provider] can pass [iss] ([issuer]) and [sid] ([Session ID] query parameters to identify the [Relying Party] session with the [OpenID Connect Provider] when the [frontchannel_logout_uri] is used. If supported, the [sid] Claim is also included in [Id_token] issued by the [OpenID Connect Provider]. If omitted, the default value is false.
/%
/%
/%
!! Real-Life [Examples]
* [GLUU|https://idp.gluu.org/.well-known/openid-configuration|target='_blank']
* [oxAuth is an open source OpenID Provider|https://seed.gluu.org/oxauth/.well-known/openid-configuration|target='_blank']
* [Google (including Google Apps), the discovery document URL|https://accounts.google.com/.well-known/openid-configuration|target='_blank']
* [PayPal|https://www.paypal.com/.well-known/openid-configuration|target='_blank'] (Looks like they are missing the [jwks_uri] is a __REQUIRED__ element of the [OpenID Provider metadata per OIDC specification|Jwks_uri]
* [SalesForce|https://login.salesforce.com/.well-known%2fopenid-configuration|target='_blank']
* [openidconnect.info|https://openidconnect.info/.well-known/openid-configuration|target='_blank']
* [Azure Microsoft Active Directory|https://login.microsoftonline.com/common/.well-known/openid-configuration|target='_blank']
* [pingfederate example openid-configuration]
* [PingFed Demo Server|https://token-provider-bc.ping-eng.com:9031/.well-known/openid-configuration|target='_blank']
* [heroku|https://connect-op.heroku.com/.well-known/openid-configuration|target='_blank']
* [OpenID4US|https://connect.openid4.us/.well-known/openid-configuration|target='_blank']
* [Okta|https://dev-158606.oktapreview.com/.well-known/openid-configuration|target='_blank']
The following is a non-normative example response:
%%prettify
{{{
HTTP/1.1 200 OK
Content-Type: application/json
{
"issuer":
"https://server.example.com",
"authorization_endpoint":
"https://server.example.com/connect/authorize",
"token_endpoint":
"https://server.example.com/connect/token",
"token_endpoint_auth_methods_supported":
["client_secret_basic", "private_key_jwt"],
"token_endpoint_auth_signing_alg_values_supported":
["RS256", "ES256"],
"userinfo_endpoint":
"https://server.example.com/connect/userinfo",
"check_session_iframe":
"https://server.example.com/connect/check_session",
"end_session_endpoint":
"https://server.example.com/connect/end_session",
"jwks_uri":
"https://server.example.com/jwks.json",
"registration_endpoint":
"https://server.example.com/connect/register",
"scopes_supported":
["openid", "profile", "email", "address",
"phone", "offline_access"],
"response_types_supported":
["code", "code id_token", "id_token", "token id_token"],
"acr_values_supported":
["urn:mace:incommon:iap:silver",
"urn:mace:incommon:iap:bronze"],
"subject_types_supported":
["public", "pairwise"],
"userinfo_signing_alg_values_supported":
["RS256", "ES256", "HS256"],
"userinfo_encryption_alg_values_supported":
["RSA1_5", "A128KW"],
"userinfo_encryption_enc_values_supported":
["A128CBC-HS256", "A128GCM"],
"id_token_signing_alg_values_supported":
["RS256", "ES256", "HS256"],
"id_token_encryption_alg_values_supported":
["RSA1_5", "A128KW"],
"id_token_encryption_enc_values_supported":
["A128CBC-HS256", "A128GCM"],
"request_object_signing_alg_values_supported":
["none", "RS256", "ES256"],
"display_values_supported":
["page", "popup"],
"claim_types_supported":
["normal", "distributed"],
"claims_supported":
["sub", "iss", "auth_time", "acr",
"name", "given_name", "family_name", "nickname",
"profile", "picture", "website",
"email", "email_verified", "locale", "zoneinfo",
"http://example.info/claims/groups"],
"claims_parameter_supported":
true,
"service_documentation":
"http://server.example.com/connect/service_documentation.html",
"ui_locales_supported":
["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
}
}}} /%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Server discovery endpoint|http://connect2id.com/products/server/docs/api/discovery|target='_blank'] - based on information obtained 2013-04-10