OpenID Connect Discovery
Fleeting- External reference: https://openid.net/specs/openid-connect-discovery-1_0.html
- External reference: https://swagger.io/docs/specification/authentication/openid-connect-discovery/
Final: OpenID Connect Discovery 1.0 incorporating errata set 1
OpenID Providers have metadata describing their configuration. These OpenID Provider Metadata values are used by OpenID Connect
— https://openid.net/specs/openid-connect-discovery-1_0.html
- jwks_uri
- REQUIRED. URL of the OP’s JSON Web Key Set [JWK] (Jones, M., “JSON Web Key (JWK),” July 2014.) document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server’s encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key’s intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
— https://openid.net/specs/openid-connect-discovery-1_0.html
OpenID Connect defines a discovery mechanism, called OpenID Connect Discovery, where an OpenID server publishes its metadata at a well-known URL, typically
https://server.com/.well-known/openid-configuration
— https://swagger.io/docs/specification/authentication/openid-connect-discovery/
clients can use this information to construct a request to the OpenID server.
— https://swagger.io/docs/specification/authentication/openid-connect-discovery/
Using the Issuer location discovered as described in Section 2 (OpenID Provider Issuer Discovery) or by other means, the OpenID Provider’s configuration information can be retrieved.
— https://openid.net/specs/openid-connect-discovery-1_0.html
OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer
— https://openid.net/specs/openid-connect-discovery-1_0.html
syntax and semantics of .well-known are defined in RFC 5785 (Nottingham, M. and E. Hammer-Lahav, “Defining Well-Known Uniform Resource Identifiers (URIs),” April 2010.)
— https://openid.net/specs/openid-connect-discovery-1_0.html
Notes linking here
- how do I create an OAuth 2.0/OIDC resource server? (blog)
- JSON Web Key Sets
- link with well-known/oauth-authorization-server and well-known/openid-configuration
- OAuth 2.0 Authorization Server Metadata