OIDC Discovery in wso2 Identity Server 5.3.0


Why OIDC Discovery is important?
Identity Server offers a JSON document under the /.well-known/openid-configuration URL. This document has information about the issuer name, endpoint URLs, key material and capabilities of the provider, e.g. which scopes or response types it supports. 

High Level Steps 
  • Start Identity Server.
  • Use curl commands to discover the end user's OpenID Provider and the other information.
Detailed Instructions 
  1. Start Identity server, open the terminal and run below curl command to obtain ‘href’ value which is the OpenidConnect discover endpoint of the Identity Servers.

(Here resource is identifier for the target end user that is the subject of the discovery request and rel is URI identifying the type of service whose location is being requested.) 

  2.  You will get following response.
{
"subject": "acct:admin@wso2.com@localhost",
"links": [
{
"href": "https://localhost:9443/t/wso2.com/oauth2/oidcdiscovery" 

}
]
}

3. Use the href received and append /.well-known/openid-configuration to it and run the following curl to obtain Openid provider’s details).


curl  -v -k --user admin:admin https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration 

Expected outcome
{"scopes_supported":["address","phone","email","profile","openid"],"issuer":"https://localhost:9443/oauth2/token","authorization_endpoint":"https://localhost:9443/oauth2/authorize","claims_supported"
["birthdate","preferred_username","name","phone_number","profile","region","street_address","locality","zoneinfo","locale","sub","gender","formatted","email_verified","updated_at","middle_name","nickname","email","family_name","website","address","phone_number_verified","given_name","picture","postal_code","country","iss","acr"],"token_endpoint":"https://localhost:9443/oauth2/token","response_types_supported":["id_token token","code","id_token","token"],"userinfo_endpoint":"https://localhost:9443/oauth2/userinfo","jwks_uri":"https://localhost:9443/oauth2/jwks","subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"registration_endpoint":"https://localhost:9443/identity/connect/register"


The response contains the openid provider details such as the issuer name, endpoint URLs, key material and capabilities of the provider, e.g. which scopes or response types it supports.

 





Comments

Popular posts from this blog

Applying CORS Filter to wso2 Identity Server

Secure Wso2 ESB REST APIs using Kerberos

JWKS endpoint of wso2 IS