Overview#
Openid-configuration is a Well-known URI Discovery Mechanism for the Provider Configuration URI and is defined in OpenID Connect.Openid-configuration is a URI defined within OpenID Connect which provides configuration information about the Identity Provider (IDP).
Openid-configuration is the OpenID Connect Provider's discovery document. The discovery document describes the provider's API endpoints used during the authentication sequence. Specifying this URL connects the authenticator to a particular OpenID Connect Provider. For Example, for Google (including Google Apps), the discovery document URL
The Openid-configuration publishes a JSON object listing the Provider's OAuth 2.0 / OpenID Connect Endpoints as well as the supported grants, response types, authentication methods and security algorithms. These details are needed by clients and application developers to construct requests to the server.
The members of this JSON object, called OpenID Connect provider metadata, are described in section 3 of the OpenID Connect Discovery 1.0 specification. OpenID Connect providers publish their metadata at a Well-Known URI which looks like this:
https://[base-server-url]/.well-known/openid-configuration
OAuth 2.0 Authorization Server Metadata#
OAuth 2.0 Authorization Server Metadata is used to signal the Authorization Server's support for various confiurations.OpenID Connect Provider Metadata [1]#
OpenID provider metadata, as specified in OpenID Connect Discovery 1.0, section 3.The Openid-configuration response is a set of Claims about the OpenID Provider's configuration, including all necessary endpoints and public key location information.
A successful response MUST use the HTTP 200 OK HTTP Status Code and return a JSON object using the application/json content type that contains a set of Claims as its members that are a subset of the Metadata values.
- Claims that return multiple values are represented as JSONArrays.
- Claims with zero elements MUST be omitted from the response.
- An error response uses the applicable HTTP status code value.
Additional OpenID Provider Metadata parameters MAY also be used. Some are defined by other specifications, such as OpenID Connect Session Management 1.0.
All OpenID Connect servers are uniquely identified by a URL known as the issuer. This URL serves as the prefix of a service discovery endpoint as specified in the OpenID Connect Discovery standard. The discovery document MUST contain at minimum the following fields:
- issuer - The fully qualified issuer URL of the server
- authorization_endpoint - The fully qualified URL of the server’s authorization endpoint defined by RFC 6749
- jwks_uri - The fully qualified URI of the server’s public key in JSON Web Key Set (JWKS) format
- response_types_supported (OpenID Connect Discovery)
- subject_types_supported (OpenID Connect Discovery)
- id_token_signing_alg_values_supported (OpenID Connect Discovery)
- token_endpoint - The fully qualified URL of the server’s token endpoint defined by RFC 6749
- introspection_endpoint - The fully qualified URL of the server’s introspection_endpoint defined by OAuth 2.0 Token Introspection
- revocation_endpoint - The fully qualified URL of the server’s revocation endpoint defined by OAuth 2.0 Authorization Server Metadata (and sort of in OAuth 2.0 Token Revocation)
The following example shows the JSON document found at a discovery endpoint for an authorization server:
{
"request_parameter_supported": true,
"id_token_encryption_alg_values_supported": [
"RSA-OAEP", "RSA1_5", "RSA-OAEP-256"
],
"registration_endpoint": "https://idp-p.mitre.org/register",
"userinfo_signing_alg_values_supported": [
"HS256", "HS384", "HS512", "RS256", "RS384", "RS512"
],
"token_endpoint": "https://idp-p.mitre.org/token",
"request_uri_parameter_supported": false,
"request_object_encryption_enc_values_supported": [
"A192CBC-HS384", "A192GCM", "A256CBC+HS512",
"A128CBC+HS256", "A256CBC-HS512",
"A128CBC-HS256", "A128GCM", "A256GCM"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
"none"
],
"userinfo_encryption_alg_values_supported": [
"RSA-OAEP", "RSA1_5",
"RSA-OAEP-256"
],
"subject_types_supported": [
"public", "pairwise"
],
"id_token_encryption_enc_values_supported": [
"A192CBC-HS384", "A192GCM", "A256CBC+HS512",
"A128CBC+HS256", "A256CBC-HS512", "A128CBC-HS256",
"A128GCM", "A256GCM"
],
"claims_parameter_supported": false,
"jwks_uri": "https://idp-p.mitre.org/jwk",
"id_token_signing_alg_values_supported": [
"HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "none"
],
"authorization_endpoint": "https://idp-p.mitre.org/authorize",
"require_request_uri_registration": false,
"introspection_endpoint": "https://idp-p.mitre.org/introspect",
"request_object_encryption_alg_values_supported": [
"RSA-OAEP", ?RSA1_5", "RSA-OAEP-256"
],
"service_documentation": "https://idp-p.mitre.org/about",
"response_types_supported": [
"code", "token"
],
"token_endpoint_auth_signing_alg_values_supported": [
"HS256", "HS384", "HS512", "RS256", "RS384", "RS512"
],
"revocation_endpoint": "https://idp-p.mitre.org/revoke",
"request_object_signing_alg_values_supported": [
"HS256", "HS384", "HS512", "RS256", "RS384", "RS512"
],
"claim_types_supported": [
"normal"
],
"grant_types_supported": [
"authorization_code",
"implicit",
"urn:ietf:params:oauth:grant-type:jwt-bearer",
"client_credentials",
"urn:ietf:params:oauth:grant_type:redelegate"
],
"scopes_supported": [
"profile", "openid", "email", "address", "phone", "offline_access"
],
"userinfo_endpoint": "https://idp-p.mitre.org/userinfo",
"userinfo_encryption_enc_values_supported": [
"A192CBC-HS384", "A192GCM", "A256CBC+HS512","A128CBC+HS256",
"A256CBC-HS512", "A128CBC-HS256", "A128GCM", "A256GCM"
],
"op_tos_uri": "https://idp-p.mitre.org/about",
"issuer": "https://idp-p.mitre.org/",
"op_policy_uri": "https://idp-p.mitre.org/about",
"claims_supported": [
"sub", "name", "preferred_username", "given_name", "family_name",
"middle_name", "nickname", "profile", "picture", "website",
"gender", "zone_info", "locale", "updated_time", "birthdate",
"email", "email_verified", "phone_number", "address"
]
}
Clients and Resource Servers SHOULD cache this discovery information. It is RECOMMENDED that servers provide cache information through HTTP Header Fields and make the cache valid for at least one week. The server MUST provide its Public Key in JSON Web Key Set format, such as the following 2048-bit RSA key:
{
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"n": "o80vbR0ZfMhjZWfqwPUGNkcIeUcweFyzB2S2T-hje83IOVct8gVg9FxvHPK1ReEW3-p7-A8GNcLAuFP_8jPhiL6LyJC3F10aV9KPQFF-w6Eq6VtpEgYSfzvFegNiPtpMWd7C43EDwjQ-GrXMVCLrBYxZC-P1ShyxVBOzeR_5MTC0JGiDTecr_2YT6o_3aE2SIJu4iNPgGh9MnyxdBo0Uf0TmrqEIabquXA1-V8iUihwfI8qjf3EujkYi7gXXelIo4_gipQYNjr4DBNlE0__RI0kDU-27mb6esswnP2WgHZQPsk779fTcNDBIcYgyLujlcUATEqfCaPDNp00J6AbY6w",
"kty": "RSA",
"kid": "rsa1"
}
]
}
JSON Object members:
| Value | TYPE | Required? | Description |
|---|---|---|---|
| issuer | {string} | REQUIRED | URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported, this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. |
| authorization_endpoint | {string} | REQUIRED | The OAuth 2.0 authorisation endpoint URL. |
| token_endpoint | {string} | OPTIONAL | The OAuth 2.0 Token_endpoint URL. This is REQUIRED unless only the Implicit Flow is used. |
| userinfo_endpoint | {string} | RECOMMENDED | The OpenID Connect UserInfo endpoint URL. |
| jwks_uri | {string} | REQUIRED | The public server JWK set URL. |
| registration_endpoint | {string} | RECOMMENDED | The OAuth 2.0 / OpenID Connect URL of the OP's Dynamic Client Registration Endpoint OpenID.Registration. |
| scopes_supported | {string array} | RECOMMENDED | List of the supported OAuth Scope values. Certain values may be omitted for privacy reasons. |
| response_types_supported | {string array} | REQUIRED | List of the supported OAuth 2.0 response_type values. |
| response_modes_supported | {string array} | OPTIONAL | List of the supported OAuth 2.0 response_mode values. |
| grant_types_supported | {string array} | OPTIONAL | List of the supported OAuth 2.0 Grant Types. |
| acr_values_supported | {string array} | OPTIONAL | List of the supported Authentication Context Class References. |
| subject_types_supported | {string array} | REQUIRED | List of the supported subject (end-user) identifier types. |
| id_token_signing_alg_values_supported | {string array} | REQUIRED | List of the supported JSON Web Signature algorithms for securing the issued ID tokens. |
| id_token_encryption_alg_values_supported | {string array} | OPTIONAL | List of the supported JSON Web Encryption algorithms for securing the issued ID tokens, omitted or empty if none. |
| id_token_encryption_enc_values_supported | {string array} | OPTIONAL | List of the supported JSON Web Encryption encryption methods for securing the issued Identity Tokens, omitted or empty if none. |
| userinfo_signing_alg_values_supported | {string array} | OPTIONAL | - List of the supported JSON Web Signature algorithms for securing the claims returned at the UserInfo endpoint. |
| userinfo_encryption_alg_values_supported | {string array} | OPTIONAL | List of the supported JSON Web Encryption encryption algorithms for securing the claims returned at the UserInfo endpoint, omitted or empty if none. |
| userinfo_encryption_enc_values_supported | {string array} | OPTIONAL | List of the supported JSON Web Encryption encryption methods for securing the claims returned at the UserInfo endpoint, omitted or empty if none. |
| request_object_signing_alg_values_supported | {string array} | OPTIONAL | List of the supported JSON Web Signature algorithms for securing OpenID Connect request objects. |
| request_object_encryption_alg_values_supported | {string array} | OPTIONAL | List of the supported JSON Web Encryption encryption algorithms for securing OpenID Connect request objects, omitted or empty if none. |
| request_object_encryption_enc_values_supported | {string array} | OPTIONAL | List of the supported JSON Web Encryption encryption methods for securing OpenID Connect request objects, omitted or empty if none. |
| token_endpoint_auth_methods_supported | {string array} | OPTIONAL | List of the supported client authentication methods at the OAuth 2.0 Token_endpoint |
| token_endpoint_auth_signing_alg_values_supported | {string array} | OPTIONAL | List of the supported JSON Web Signature algorithms for JSON Web Token-based client authentication at the OAuth 2.0 token endpoint, omitted or empty if none. |
| display_values_supported | {string array} | OPTIONAL | List of the supported display parameters. |
| claim_types_supported | {string array} | OPTIONAL | List of the supported OpenID Connect claim types. |
| claims_supported | {string array} | RECOMMENDED | List of the supported OpenID Connect claims. Certain values may be omitted for privacy reasons. |
| service_documentation | {string array} | OPTIONAL | The service documentation URL. |
| claims_locales_supported | {string array} | OPTIONAL | List of the supported OpenID Connect claims locales, omitted or empty if none. |
| ui_locales_supported | {string array} | OPTIONAL | List of the supported UI locales, omitted or empty if none. |
| claims_parameter_supported | {true|false} | OPTIONAL | Specifies whether the claims request parameter is supported. |
| request_parameter_supported | {true|false} | OPTIONAL | Specifies whether the request parameter is supported. |
| request_uri_parameter_supported | {true|false} | OPTIONAL | Specifies whether the request_uri parameter is supported. |
| require_request_uri_registration | {true|false} | OPTIONAL | Specifies whether request URIs must be registered for a client. |
| op_policy_uri | {string} | OPTIONAL | The privacy policy document URL, omitted if none. |
| op_tos_uri | {string} | OPTIONAL | The terms of service document URL, omitted if none. |
| check_session_iframe | {string} | OPTIONAL | REQUIRED IF OpenID Connect Provider supports OpenID Connect Session Management |
| end_session_endpoint | {string} | OPTIONAL | REQUIRED IF OpenID Connect Provider supports OpenID Connect Session Management and is a URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. |
| frontchannel_logout_supported | {string} | OPTIONAL | a Boolean value specifying whether the OpenID Connect Provider supports HTTP-based logout, with true indicating support. If omitted, the default value is False. |
| frontchannel_logout_session_supported | {string} | OPTIONAL | Boolean value specifying whether the OpenID Connect Provider can pass iss (issuer) and sid (Session ID query parameters to identify the Relying Party session with the OpenID Connect Provider when the frontchannel_logout_uri is used. If supported, the sid Claim is also included in Id_token issued by the OpenID Connect Provider. If omitted, the default value is false. |
Real-Life Examples#
- GLUU
- oxAuth is an open source OpenID Provider
- Google (including Google Apps), the discovery document URL
- PayPal (Looks like they are missing the jwks_uri is a REQUIRED element of the OpenID Provider metadata per OIDC specification
- SalesForce
- openidconnect.info
- Azure Microsoft Active Directory
- pingfederate example openid-configuration
- PingFed Demo Server
- heroku
- OpenID4US
- Okta
The following is a non-normative example response:
HTTP/1.1 200 OK
Content-Type: application/json
{
"issuer":
"https://server.example.com",
"authorization_endpoint":
"https://server.example.com/connect/authorize",
"token_endpoint":
"https://server.example.com/connect/token",
"token_endpoint_auth_methods_supported":
["client_secret_basic", "private_key_jwt"],
"token_endpoint_auth_signing_alg_values_supported":
["RS256", "ES256"],
"userinfo_endpoint":
"https://server.example.com/connect/userinfo",
"check_session_iframe":
"https://server.example.com/connect/check_session",
"end_session_endpoint":
"https://server.example.com/connect/end_session",
"jwks_uri":
"https://server.example.com/jwks.json",
"registration_endpoint":
"https://server.example.com/connect/register",
"scopes_supported":
["openid", "profile", "email", "address",
"phone", "offline_access"],
"response_types_supported":
["code", "code id_token", "id_token", "token id_token"],
"acr_values_supported":
["urn:mace:incommon:iap:silver",
"urn:mace:incommon:iap:bronze"],
"subject_types_supported":
["public", "pairwise"],
"userinfo_signing_alg_values_supported":
["RS256", "ES256", "HS256"],
"userinfo_encryption_alg_values_supported":
["RSA1_5", "A128KW"],
"userinfo_encryption_enc_values_supported":
["A128CBC-HS256", "A128GCM"],
"id_token_signing_alg_values_supported":
["RS256", "ES256", "HS256"],
"id_token_encryption_alg_values_supported":
["RSA1_5", "A128KW"],
"id_token_encryption_enc_values_supported":
["A128CBC-HS256", "A128GCM"],
"request_object_signing_alg_values_supported":
["none", "RS256", "ES256"],
"display_values_supported":
["page", "popup"],
"claim_types_supported":
["normal", "distributed"],
"claims_supported":
["sub", "iss", "auth_time", "acr",
"name", "given_name", "family_name", "nickname",
"profile", "picture", "website",
"email", "email_verified", "locale", "zoneinfo",
"http://example.info/claims/groups"],
"claims_parameter_supported":
true,
"service_documentation":
"http://server.example.com/connect/service_documentation.html",
"ui_locales_supported":
["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
}
More Information#
There might be more information for this subject on one of the following:- Acr_values_supported
- Authentication Context Class Reference
- Authorization Code Flow
- Authorization Server
- Claim_types_supported
- Claims_locales_supported
- Claims_parameter_supported
- Claims_supported
- Display_values_supported
- End_session_endpoint
- Frontchannel_logout_supported
- Grant Types
- Id_token_encryption_alg_values_supported
- Id_token_encryption_enc_values_supported
- Id_token_signing_alg_values_supported
- Identity Token
- Identity Token Validation
- Issuer
- Login_hint_token
- OAuth 2.0 Authorization Server Metadata
- Op_policy_uri
- Op_tos_uri
- OpenID Connect
- OpenID Connect Discovery
- OpenID Connect Endpoints
- OpenID Connect Scopes
- Openid-configuration
- Provider Configuration URI
- Request_object_encryption_alg_values_supported
- Request_object_encryption_enc_values_supported
- Request_object_signing_alg_values_supported
- Request_parameter_supported
- Request_uri_parameter_supported
- Require_request_uri_registration
- Resource_set_registration_endpoint
- Response_modes_supported
- Response_types_supported
- Scopes_supported
- Service_documentation
- Subject_types_supported
- Token_endpoint_auth_methods_supported
- Token_endpoint_auth_signing_alg_values_supported
- Ui_locales_supported
- Userinfo_encryption_alg_values_supported
- Userinfo_encryption_enc_values_supported
- Userinfo_signing_alg_values_supported
- Why OAuth 2.0
- [#1] - Server discovery endpoint - based on information obtained 2013-04-10
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!