Server discovery endpoint

1. Discovering the server’s endpoints and capabilities

The Connect2id server publishes a JSON object listing its OAuth 2.0 / OpenID Connect endpoints as well as the supported grants, response types, authentication methods and security algorithms. These details are needed by dynamic clients and application developers to construct requests to the server.

The members of this JSON object, called OpenID Connect provider metadata, are described in section 3 of the OpenID Connect Discovery 1.0 specification. OpenID providers publish their metadata at a well-known URL which looks like this:

https://[base-server-url]/.well-known/openid-configuration

2. Web API overview

Resources
Representations Errors

3. Resources

3.1 /.well-known/openid-configuration

3.1.1 GET

Retrieves the server’s metadata.

Success:

Errors:

Example request to get the server’s metadata:

GET /.well-known/openid-configuration HTTP/1.1
Host: c2id.com

The response containing a JSON object with the metadata:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "issuer"                                : "https://c2id.com",
  "token_endpoint"                        : "https://c2id.com/token",
  "introspection_endpoint"                : "https://c2id.com/token/introspect",
  "revocation_endpoint"                   : "https://c2id.com/token/revoke",
  "authorization_endpoint"                : "https://c2id.com/login",
  "userinfo_endpoint"                     : "https://c2id.com/userinfo",
  "registration_endpoint"                 : "https://demo.c2id.com/c2id/client-reg",
  "jwks_uri"                              : "https://demo.c2id.com/c2id/jwks.json",
  "scopes_supported"                      : [ "openid",
                                              "profile",
                                              "email",
                                              "address",
                                              "phone",
                                              "offline_access" ],
  "response_types_supported"              : [ "code",
                                              "id_token",
                                              "token id_token",
                                              "code id_token" ,
                                              "code token id_token" ],
  "response_modes_supported"              : [ "query",
                                              "fragment",
                                               "form_post" ],
  "grant_types_supported"                 : [ "implicit",
                                              "authorization_code",
                                              "refresh_token",
                                              "password",
                                              "client_credentials",
                                              "urn:ietf:params:oauth:grant-type:jwt-bearer",      
                                              "urn:ietf:params:oauth:grant-type:saml2-bearer" ],      
  "code_challenge_methods_supported"      : [ "S256",
                                              "plain" ],
  "acr_values_supported"                  : [ "urn:c2id:acr:bronze",
                                              "urn:c2id:acr:silver"
                                              "urn:c2id:acr:gold" ],
  "subject_types_supported"               : [ "public" ],                                
  "token_endpoint_auth_methods_supported" : [ "client_secret_basic",
                                              "client_secret_post",
                                              "client_secret_jwt",
                                              "private_key_jwt" ],                                 
  "token_endpoint_auth_signing_alg_values_supported" : 
                                            [ "HS256",
                                              "HS512",
                                              "HS384",
                                              "RS256",
                                              "RS384",
                                              "RS512",
                                              "PS256",
                                              "PS384",
                                              "PS512",
                                              "ES256",
                                              "ES384",
                                              "ES512" ],                                 
  "id_token_signing_alg_values_supported" : [ "RS256",
                                              "RS384",
                                              "RS512",
                                              "PS256",
                                              "PS384",
                                              "PS512",
                                              "HS256",
                                              "HS384",
                                              "HS512" ],
  "userinfo_signing_alg_values_supported" : [ "RS256",
                                              "RS384",
                                              "RS512",
                                              "PS256",
                                              "PS384",
                                              "PS512",
                                              "HS256",
                                              "HS384",
                                              "HS512" ],   
  "display_values_supported"              : [ "page", 
                                              "popup" ],   
  "claim_types_supported"                 : [ "normal" ],   
  "claims_supported"                      : [ "sub",
                                              "iss",
                                              "auth_time",
                                              "acr",
                                              "name",
                                              "given_name",
                                              "family_name",
                                              "nickname",
                                              "email",
                                              "email_verified" ],
  "ui_locales_supported"                  : [ "en" ],   
  "claims_parameter_supported"            : true,   
  "request_parameter_supported"           : false,
  "request_uri_parameter_supported"       : false,
  "require_request_uri_registration"      : false
}

4. Representations

4.1 OpenID provider metadata

OpenID provider metadata, as specified in OpenID Connect Discovery 1.0, section 3 and other extension specifications.

JSON object members:

  • issuer {string} The server identifier, typically the base URL of the Connect2id server, using the https scheme, e.g. https://c2id.com

  • jwks_uri {string} The public server JWK set URL.

  • registration_endpoint {string} The OAuth 2.0 / OpenID Connect client registration endpoint URL.

  • authorization_endpoint {string} The OAuth 2.0 authorisation endpoint URL.

  • token_endpoint {string} The OAuth 2.0 token endpoint URL.

  • introspection_endpoint {string} The [OAuth 2.0 token introspection endpoint URL.

  • revocation_endpoint {string} The OAuth 2.0 token revocation endpoint URL.

  • userinfo_endpoint {string} The OpenID Connect UserInfo endpoint URL.

  • [ end_session_endpoint ] {string} The OpenID Connect logout endpoint URL, omitted if disabled.

  • grant_types_supported {string array} List of the supported OAuth 2.0 grant types.

  • response_types_supported {string array} List of the supported OAuth 2.0 response_type values.

  • response_modes_supported {string array} List of the supported OAuth 2.0

  • code_challenge_methods_supported {string array} List of the supported transformation methods on the authorisation code verifier for Proof Key for Code Exchange (PKCE). response_mode values.

  • token_endpoint_auth_methods_supported {string array} List of the supported client authentication methods at the OAuth 2.0 token endpoint.

  • [ token_endpoint_auth_signing_alg_values_supported ] {string array} List of the supported JWS algorithms for JWT-based client authentication at the OAuth 2.0 token endpoint, omitted or empty if none.

  • id_token_signing_alg_values_supported {string array} List of the supported JWS algorithms for securing the issued ID tokens.

  • [ id_token_encryption_alg_values_supported ] {string array} List of the supported JWE algorithms for securing the issued ID tokens, omitted or empty if none.

  • [ id_token_encryption_enc_values_supported ] {string array} Lisf of the supported JWE encryption methods for securing the issued ID tokens, omitted or empty if none.

  • userinfo_signing_alg_values_supported {string array} List of the supported JWS algorithms for securing the claims returned at the UserInfo endpoint.

  • [ userinfo_encryption_alg_values_supported ] {string array} List of the supported JWE encryption algorithms for securing the claims returned at the UserInfo endpoint, omitted or empty if none.

  • [ userinfo_encryption_enc_values_supported ] {string array} List of the supported JWE encryption methods for securing the claims returned at the UserInfo endpoint, omitted or empty if none.

  • [ request_object_signing_alg_values_supported ] {string array} List of the supported JWS algorithms for securing OpenID Connect request objects.

  • [ request_object_encryption_alg_values_supported ] {string array} List of the supported JWE encryption algorithms for securing OpenID Connect request objects, omitted or empty if none.

  • [ request_object_encryption_enc_values_supported ] {string array} List of the supported JWE encryption methods for securing OpenID Connect request objects, omitted or empty if none.

  • subject_types_supported {string array} List of the supported subject (end-user) identifier types.

  • acr_values_supported {string array} List of the supported Authentication Context Class References.

  • display_values_supported {string array} List of the supported display parameters.

  • scopes_supported {string array} List of the supported scope values. Certain values may be omitted for privacy reasons.

  • claim_types_supported {string array} List of the supported OpenID Connect claim types.

  • claims_supported {string array} List of the supported OpenID Connect claims. Certain values may be omitted for privacy reasons.

  • [ claims_locales_supported ] {string array} List of the supported OpenID Connect claims locales, omitted or empty if none.

  • [ ui_locales_supported ] {string array} List of the supported UI locales, omitted or empty if none.

  • claims_parameter_supported {true|false} Specifies whether the claims request parameter is supported.

  • request_parameter_supported {true|false} Specifies whether the request parameter is supported.

  • request_uri_parameter_supported {true|false} Specifies whether the request_uri parameter is supported.

  • require_request_uri_registration {true|false} Specifies whether request URIs must be registered for a client.

  • request_uri_quota {integer} Custom parameter, specified the maximum number of request_uris a client may register.

  • [ mutual_tls_sender_constrained_access_tokens ] {true|false} Specifies whether issue of client X.509 certificate bound access tokens is supported, omitted implies no support.

  • [ op_policy_uri ] {string} The privacy policy document URL, omitted if none.

  • [ op_tos_uri ] {string} The terms of service document URL, omitted if none.

  • [ service_documentation ] {string} The service documentation URL, omitted if none.

5. Errors

404 Not Found

The requested resource doesn’t exist.

Example:

HTTP/1.1 404 Not Found

500 Internal Server Error

An internal server error has occurred. Check the Connect2id server logs for details.

Example:

HTTP/1.1 500 Internal Server Error