Server discovery endpoint

1. Discovering the server's endpoints and capabilities

The Connect2id server publishes a JSON document listing its standard endpoints, supported OAuth 2.0 grants, response types, authentication methods and security algorithms. These details are needed by dynamic clients and application developers to construct requests to the server.

This JSON document, called OpenID Connect provider metadata, has its format specified in the OpenID Connect Discovery 1.0.

OpenID providers publish their metadata at a well-known URL which looks like this:

https://[base-server-url]/.well-known/openid-configuration

The Connect2id server also publishes the same metadata at the well-known URL for plain OAuth 2.0 authorisation servers:

https://[base-server-url]/.well-known/oauth-authorization-server

2. Web API overview

Resources
Representations Errors

3. Resources

3.1 /.well-known/openid-configuration

3.1.1 GET

Retrieves the server's OpenID provider metadata.

Success:

Errors:

Example request to get the server's metadata:

GET /.well-known/openid-configuration HTTP/1.1
Host: c2id.com

The response containing a JSON object with the metadata:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "issuer"                                : "https://c2id.com",
  "token_endpoint"                        : "https://c2id.com/token",
  "introspection_endpoint"                : "https://c2id.com/token/introspect",
  "revocation_endpoint"                   : "https://c2id.com/token/revoke",
  "authorization_endpoint"                : "https://c2id.com/login",
  "userinfo_endpoint"                     : "https://c2id.com/userinfo",
  "registration_endpoint"                 : "https://demo.c2id.com/c2id/client-reg",
  "jwks_uri"                              : "https://demo.c2id.com/c2id/jwks.json",
  "scopes_supported"                      : [ "openid",
                                              "profile",
                                              "email",
                                              "address",
                                              "phone",
                                              "offline_access" ],
  "response_types_supported"              : [ "code",
                                              "id_token",
                                              "token id_token",
                                              "code id_token" ,
                                              "code token id_token" ],
  "response_modes_supported"              : [ "query",
                                              "fragment",
                                               "form_post" ],
  "grant_types_supported"                 : [ "implicit",
                                              "authorization_code",
                                              "refresh_token",
                                              "password",
                                              "client_credentials",
                                              "urn:ietf:params:oauth:grant-type:jwt-bearer",      
                                              "urn:ietf:params:oauth:grant-type:saml2-bearer" ],      
  "code_challenge_methods_supported"      : [ "S256",
                                              "plain" ],
  "acr_values_supported"                  : [ "urn:c2id:acr:bronze",
                                              "urn:c2id:acr:silver"
                                              "urn:c2id:acr:gold" ],
  "subject_types_supported"               : [ "public" ],                                
  "token_endpoint_auth_methods_supported" : [ "client_secret_basic",
                                              "client_secret_post",
                                              "client_secret_jwt",
                                              "private_key_jwt" ],                                 
  "token_endpoint_auth_signing_alg_values_supported" : 
                                            [ "HS256",
                                              "HS512",
                                              "HS384",
                                              "RS256",
                                              "RS384",
                                              "RS512",
                                              "PS256",
                                              "PS384",
                                              "PS512",
                                              "ES256",
                                              "ES384",
                                              "ES512" ],                                 
  "id_token_signing_alg_values_supported" : [ "RS256",
                                              "RS384",
                                              "RS512",
                                              "PS256",
                                              "PS384",
                                              "PS512",
                                              "HS256",
                                              "HS384",
                                              "HS512" ],
  "userinfo_signing_alg_values_supported" : [ "RS256",
                                              "RS384",
                                              "RS512",
                                              "PS256",
                                              "PS384",
                                              "PS512",
                                              "HS256",
                                              "HS384",
                                              "HS512" ],   
  "display_values_supported"              : [ "page", 
                                              "popup" ],   
  "claim_types_supported"                 : [ "normal" ],   
  "claims_supported"                      : [ "sub",
                                              "iss",
                                              "auth_time",
                                              "acr",
                                              "name",
                                              "given_name",
                                              "family_name",
                                              "nickname",
                                              "email",
                                              "email_verified" ],
  "ui_locales_supported"                  : [ "en" ],   
  "claims_parameter_supported"            : true,   
  "request_parameter_supported"           : false,
  "request_uri_parameter_supported"       : false,
  "require_request_uri_registration"      : false
}

3.2 /.well-known/oauth-authorization-server

3.2.1 GET

Retrieves the server's OAuth 2.0 authorisation server metadata.

Success:

  • Code: 200

  • Content-Type: application/json

  • Body: {object} The OpenID provider metadata, of which the OAuth 2.0 authorisation server metadata is a superset.

Errors:

4. Representations

4.1 OpenID provider metadata

OpenID provider metadata, as specified in OpenID Connect Discovery 1.0, section 3 and other extension specifications.

May also include custom fields.

JSON object members:

  • issuer {string} The server identifier, typically the base URL of the Connect2id server, using the https scheme, e.g. https://c2id.com

  • jwks_uri {string} The public server JWK set URL.

  • registration_endpoint {string} The OAuth 2.0 / OpenID Connect client registration endpoint URL.

  • authorization_endpoint {string} The OAuth 2.0 authorisation endpoint URL.

  • token_endpoint {string} The OAuth 2.0 token endpoint URL.

  • introspection_endpoint {string} The OAuth 2.0 token introspection endpoint URL.

  • revocation_endpoint {string} The OAuth 2.0 token revocation endpoint URL.

  • userinfo_endpoint {string} The OpenID Connect UserInfo endpoint URL.

  • [ check_session_iframe ] {string} The OpenID Connect check session iframe URL, omitted if disabled.

  • [ end_session_endpoint ] {string} The OpenID Connect logout endpoint URL, omitted if disabled.

  • grant_types_supported {string array} List of the supported OAuth 2.0 grant types.

  • response_types_supported {string array} List of the supported OAuth 2.0 response_type values.

  • response_modes_supported {string array} List of the supported OAuth 2.0 response_mode values.

  • code_challenge_methods_supported {string array} List of the supported transformation methods by the authorisation code verifier for Proof Key for Code Exchange (PKCE).

  • token_endpoint_auth_methods_supported {string array} List of the supported client authentication methods at the OAuth 2.0 token endpoint.

  • [ token_endpoint_auth_signing_alg_values_supported ] {string array} List of the supported JWS algorithms for JWT-based client authentication at the OAuth 2.0 token endpoint, omitted or empty if none.

  • id_token_signing_alg_values_supported {string array} List of the supported JWS algorithms for securing the issued ID tokens.

  • [ id_token_encryption_alg_values_supported ] {string array} List of the supported JWE algorithms for securing the issued ID tokens, omitted or empty if none.

  • [ id_token_encryption_enc_values_supported ] {string array} Lisf of the supported JWE encryption methods for securing the issued ID tokens, omitted or empty if none.

  • userinfo_signing_alg_values_supported {string array} List of the supported JWS algorithms for securing the claims returned at the UserInfo endpoint.

  • [ userinfo_encryption_alg_values_supported ] {string array} List of the supported JWE encryption algorithms for securing the claims returned at the UserInfo endpoint, omitted or empty if none.

  • [ userinfo_encryption_enc_values_supported ] {string array} List of the supported JWE encryption methods for securing the claims returned at the UserInfo endpoint, omitted or empty if none.

  • [ request_object_signing_alg_values_supported ] {string array} List of the supported JWS algorithms for securing OpenID Connect request objects, omitted or empty if none.

  • [ request_object_encryption_alg_values_supported ] {string array} List of the supported JWE encryption algorithms for securing OpenID Connect request objects, omitted or empty if none.

  • [ request_object_encryption_enc_values_supported ] {string array} List of the supported JWE encryption methods for securing OpenID Connect request objects, omitted or empty if none.

  • subject_types_supported {string array} List of the supported subject (end-user) identifier types.

  • acr_values_supported {string array} List of the supported Authentication Context Class References (ACRs).

  • display_values_supported {string array} List of the supported display parameters.

  • scopes_supported {string array} List of the supported scope values. Certain values may be omitted for privacy reasons.

  • claim_types_supported {string array} List of the supported OpenID Connect claim types.

  • claims_supported {string array} List of the supported OpenID Connect claims. Certain values may be omitted for privacy reasons.

  • [ claims_locales_supported ] {string array} List of the supported OpenID Connect claims locales, omitted or empty if none.

  • [ ui_locales_supported ] {string array} List of the supported UI locales, omitted or empty if none.

  • claims_parameter_supported {true|false} Indicates support for the claims OpenID authentication request parameter.

  • request_parameter_supported {true|false} Indicates support for the request OpenID authentication request parameter.

  • request_uri_parameter_supported {true|false} Indicates support for the request_uri OpenID authentication request parameter.

  • require_request_uri_registration {true|false} Specifies whether request URIs must be registered for a client.

  • request_uri_quota {integer} Specifies the maximum number of request_uris that can be registered for a client (custom Connect2id server specific parameter).

  • [ tls_client_certificate_bound_access_tokens ] {true|false} Indicates support for issuing client X.509 certificate bound access tokens. If omitted the default value is false.

  • [ frontchannel_logout_supported ] {true|false} Indicates support for OpenID Connect front-channel logout. If omitted the default value is false.

  • [ frontchannel_logout_session_supported ] {true|false} Indicates whether the session ID (sid) will be included in OpenID Connect front-channel logout notifications. If omitted the default value is false.

  • [ backchannel_logout_supported ] {true|false} Indicates support for OpenID Connect back-channel logout. If omitted the default value is false.

  • [ backchannel_logout_session_supported ] {true|false} Indicates whether the session ID (sid) will be included in OpenID Connect back-channel logout notifications. If omitted the default value is false.

  • [ op_policy_uri ] {string} The privacy policy document URL, omitted if none.

  • [ op_tos_uri ] {string} The terms of service document URL, omitted if none.

  • [ service_documentation ] {string} The service documentation URL, omitted if none.

5. Errors

404 Not Found

The requested resource doesn't exist.

Example:

HTTP/1.1 404 Not Found

500 Internal Server Error

An internal server error has occurred. Check the Connect2id server logs for details.

Example:

HTTP/1.1 500 Internal Server Error