Konubinix' opinionated web of thoughts

OAuth 2.0 Authorization Server Metadata


metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server


By default, the well-known URI string used is “/.well-known/oauth-authorization-server”.


The following is a non-normative example response:

HTTP/1.1 200 OK Content-Type: application/json

{ “issuer”: “https://server.example.com”, “authorization_endpoint”: “https://server.example.com/authorize”, “token_endpoint”: “https://server.example.com/token”, “token_endpoint_auth_methods_supported”: [“client_secret_basic”, “private_key_jwt”], “token_endpoint_auth_signing_alg_values_supported”: [“RS256”, “ES256”], “userinfo_endpoint”: “https://server.example.com/userinfo”, “jwks_uri”: “https://server.example.com/jwks.json”, “registration_endpoint”: “https://server.example.com/register”, “scopes_supported”: [“openid”, “profile”, “email”, “address”, “phone”, “offline_access”], “response_types_supported”: [“code”, “code token”], “service_documentation”: “http://server.example.com/service_documentation.html”, “ui_locales_supported”: [“en-US”, “en-GB”, “en-CA”, “fr-FR”, “fr-CA”] }


Authorization servers can have metadata describing their configuration. The following authorization server metadata values are used by this specification and are registered in the IANA “OAuth Authorization Server Metadata” registry established in Section 7.1:


OPTIONAL. URL of the authorization server’s JWK Set [JWK] document. The referenced document contains the signing key(s) the client uses to validate signatures from the authorization server. This URL MUST use the “https” scheme. The JWK Set MAY also contain the server’s encryption key or keys, which are used by clients to encrypt requests to the server. When both signing and encryption keys are made available, a “use” (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key’s intended usage.


This specification generalizes the metadata format defined by “OpenID Connect Discovery 1.0” [OpenID.Discovery] in a way that is compatible with OpenID Connect Discovery while being applicable to a wider set of OAuth 2.0 use cases.


Notes pointant ici