Server discovery endpoint
1. Discovering the server's endpoints and capabilities
The Connect2id server publishes a JSON object listing its OAuth 2.0 / OpenID Connect endpoints as well as the supported grants, response types, authentication methods and security algorithms. These details are needed by dynamic clients and application developers to construct requests to the server.
The members of this JSON object, called OpenID Connect provider metadata, are described in section 3 of the OpenID Connect Discovery 1.0 specification. OpenID providers publish their metadata at a well-known URL which looks like this:
https://[base-server-url]/.well-known/openid-configuration
2. Web API overview
| Resources | |
|---|---|
| Representations | Errors |
3. Resources
3.1 /.well-known/openid-configuration
3.1.1 GET
Retrieves the server's metadata.
Success:
Code:
200Content-Type:
application/jsonBody: {object} The OpenID Provider metadata.
Errors:
Example request to get the server's metadata:
GET /.well-known/openid-configuration HTTP/1.1
Host: c2id.com
The response containing a JSON object with the metadata:
HTTP/1.1 200 OK
Content-Type: application/json
{
"issuer" : "https://c2id.com",
"token_endpoint" : "https://c2id.com/token",
"introspection_endpoint" : "https://c2id.com/token/introspect",
"revocation_endpoint" : "https://c2id.com/token/revoke",
"authorization_endpoint" : "https://c2id.com/login",
"userinfo_endpoint" : "https://c2id.com/userinfo",
"registration_endpoint" : "https://demo.c2id.com/c2id/client-reg",
"jwks_uri" : "https://demo.c2id.com/c2id/jwks.json",
"scopes_supported" : [ "openid",
"profile",
"email",
"address",
"phone",
"offline_access" ],
"response_types_supported" : [ "code",
"id_token",
"token id_token",
"code id_token" ,
"code token id_token" ],
"response_modes_supported" : [ "query",
"fragment" ],
"grant_types_supported" : [ "implicit",
"authorization_code",
"refresh_token",
"password",
"client_credentials",
"urn:ietf:params:oauth:grant-type:jwt-bearer",
"urn:ietf:params:oauth:grant-type:saml2-bearer" ],
"code_challenge_methods_supported" : [ "S256",
"plain" ],
"acr_values_supported" : [ "urn:c2id:acr:bronze",
"urn:c2id:acr:silver"
"urn:c2id:acr:gold" ],
"subject_types_supported" : [ "public" ],
"token_endpoint_auth_methods_supported" : [ "client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt" ],
"token_endpoint_auth_signing_alg_values_supported" :
[ "HS256",
"HS512",
"HS384",
"RS256",
"RS384",
"RS512",
"PS256",
"PS384",
"PS512",
"ES256",
"ES384",
"ES512" ],
"id_token_signing_alg_values_supported" : [ "RS256",
"RS384",
"RS512",
"PS256",
"PS384",
"PS512",
"HS256",
"HS384",
"HS512" ],
"userinfo_signing_alg_values_supported" : [ "RS256",
"RS384",
"RS512",
"PS256",
"PS384",
"PS512",
"HS256",
"HS384",
"HS512" ],
"display_values_supported" : [ "page",
"popup" ],
"claim_types_supported" : [ "normal" ],
"claims_supported" : [ "sub",
"iss",
"auth_time",
"acr",
"name",
"given_name",
"family_name",
"nickname",
"email",
"email_verified" ],
"ui_locales_supported" : [ "en" ],
"claims_parameter_supported" : true,
"request_parameter_supported" : false,
"request_uri_parameter_supported" : false,
"require_request_uri_registration" : false
}
4. Representations
4.1 OpenID provider metadata
OpenID provider
metadata,
as specified in OpenID Connect Discovery 1.0, section 3. The Connect2id server
also adds two additional non-registered members - token_introspection_endpoint
and token_revocation_endpoint.
JSON object members:
issuer {string} The server identifier, typically the base URL of the Connect2id server, using the https scheme, e.g.
https://c2id.comauthorization_endpoint {string} The OAuth 2.0 authorisation endpoint URL.
token_endpoint {string} The OAuth 2.0 token endpoint URL.
introspection_endpoint {string} The [OAuth 2.0 token introspection endpoint URL.
revocation_endpoint {string} The OAuth 2.0 token revocation endpoint URL.
userinfo_endpoint {string} The OpenID Connect UserInfo endpoint URL.
jwks_uri {string} The public server JWK set URL.
registration_endpoint {string} The OAuth 2.0 / OpenID Connect client registration endpoint URL.
scopes_supported {string array} List of the supported scope values. Certain values may be omitted for privacy reasons.
response_types_supported {string array} List of the supported OAuth 2.0 response_type values.
response_modes_supported {string array} List of the supported OAuth 2.0 response_mode values.
grant_types_supported {string array} List of the supported OAuth 2.0 grant types.
code_challenge_methods_supported {string array} List of the supported transformation methods on the authorisation code verifier for Proof Key for Code Exchange (PKCE).
acr_values_supported {string array} List of the supported Authentication Context Class References.
subject_types_supported {string array} List of the supported subject (end-user) identifier types.
id_token_signing_alg_values_supported {string array} List of the supported JWS algorithms for securing the issued ID tokens.
[ id_token_encryption_alg_values_supported ] {string array} List of the supported JWE algorithms for securing the issued ID tokens, omitted or empty if none.
[ id_token_encryption_enc_values_supported ] {string array} Lisf of the supported JWE encryption methods for securing the issued ID tokens, omitted or empty if none.
userinfo_signing_alg_values_supported {string array} List of the supported JWS algorithms for securing the claims returned at the UserInfo endpoint.
[ userinfo_encryption_alg_values_supported ] {string array} List of the supported JWE encryption algorithms for securing the claims returned at the UserInfo endpoint, omitted or empty if none.
[ userinfo_encryption_enc_values_supported ] {string array} List of the supported JWE encryption methods for securing the claims returned at the UserInfo endpoint, omitted or empty if none.
[ request_object_signing_alg_values_supported ] {string array} List of the supported JWS algorithms for securing OpenID Connect request objects.
[ request_object_encryption_alg_values_supported ] {string array} List of the supported JWE encryption algorithms for securing OpenID Connect request objects, omitted or empty if none.
[ request_object_encryption_enc_values_supported ] {string array} List of the supported JWE encryption methods for securing OpenID Connect request objects, omitted or empty if none.
token_endpoint_auth_methods_supported {string array} List of the supported client authentication methods at the OAuth 2.0 token endpoint.
[ token_endpoint_auth_signing_alg_values_supported ] {string array} List of the supported JWS algorithms for JWT-based client authentication at the OAuth 2.0 token endpoint, omitted or empty if none.
display_values_supported {string array} List of the supported display parameters.
claim_types_supported {string array} List of the supported OpenID Connect claim types.
claims_supported {string array} List of the supported OpenID Connect claims. Certain values may be omitted for privacy reasons.
service_documentation {string array} The service documentation URL.
[ claims_locales_supported ] {string array} List of the supported OpenID Connect claims locales, omitted or empty if none.
[ ui_locales_supported ] {string array} List of the supported UI locales, omitted or empty if none.
claims_parameter_supported {true|false} Specifies whether the claims request parameter is supported.
request_parameter_supported {true|false} Specifies whether the request parameter is supported.
request_uri_parameter_supported {true|false} Specifies whether the request_uri parameter is supported.
require_request_uri_registration {true|false} Specifies whether request URIs must be registered for a client.
[ op_policy_uri ] {string} The privacy policy document URL, omitted if none.
[ op_tos_uri ] {string} The terms of service document URL, omitted if none.
5. Errors
404 Not Found
The requested resource doesn't exist.
Example:
HTTP/1.1 404 Not Found
500 Internal Server Error
An internal server error has occurred. Check the Connect2id server logs for details.
Example:
HTTP/1.1 500 Internal Server Error