OIDC Discovery in wso2 Identity Server 5.3.0

Why OIDC Discovery is important?

Identity Server offers a JSON document under the /.well-known/openid-configuration URL. This document has information about the issuer name, endpoint URLs, key material and capabilities of the provider, e.g. which scopes or response types it supports.

  • Use curl commands to discover the end user’s OpenID Provider and the other information.
  1. Start Identity server, open the terminal and run below curl command to obtain ‘href’ value which is the OpenidConnect discover endpoint of the Identity Servers.

(Here resource is identifier for the target end user that is the subject of the discovery request and rel is URI identifying the type of service whose location is being requested.)

2. You will get following response.

“subject”: “acct:admin@wso2.com@localhost”,

“rel”: “http://openid.net/specs/connect/1.0/issuer",

“href”: “https://localhost:9443/t/wso2.com/oauth2/oidcdiscovery"

3. Use the href received and append /.well-known/openid-configuration to it and run the following curl to obtain Openid provider’s details).

curl -v -k — user admin:admin https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration

{“scopes_supported”:[“address”,”phone”,”email”,”profile”,”openid”],”issuer”:”https://localhost:9443/oauth2/token","authorization_endpoint":"https://localhost:9443/oauth2/authorize","claims_supported"

[“birthdate”,”preferred_username”,”name”,”phone_number”,”profile”,”region”,”street_address”,”locality”,”zoneinfo”,”locale”,”sub”,”gender”,”formatted”,”email_verified”,”updated_at”,”middle_name”,”nickname”,”email”,”family_name”,”website”,”address”,”phone_number_verified”,”given_name”,”picture”,”postal_code”,”country”,”iss”,”acr”],”token_endpoint”:”https://localhost:9443/oauth2/token","response_types_supported":["id_token token”,”code”,”id_token”,”token”],”userinfo_endpoint”:”https://localhost:9443/oauth2/userinfo","jwks_uri":"https://localhost:9443/oauth2/jwks","subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"registration_endpoint":"https://localhost:9443/identity/connect/register"

The response contains the openid provider details such as the issuer name, endpoint URLs, key material and capabilities of the provider, e.g. which scopes or response types it supports.

Originally published at hasanthipurnima.blogspot.com.

Written by

Associate Technical Lead @ WSO2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store