GET /.well-known/openid-configuration

Returns the OpenID Connect configuration values from the provider's Well-Known Configuration Endpoint, per the specification (http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest).

For additional information about the values returned in the metadata file, see OAuth Well-Known Configuration Information.

Authorization Roles/Permissions: Anyone can run this operation.

This topic includes the following sections:

HTTP Method

GET

URL

https://{oauth-provider-hostname}/.well-known/openid-configuration

Sample Request

The example below shows a request for the OpenID Connect provider information for Google.

Sample Request URL

https://accounts.google.com/.well-known/openid-configuration

Sample request headers

Accept: application/json

Sample request body

Not applicable.

Request Headers

For general information on request header values, refer to HTTP Request Headers.

Header Description
Accept application/json

Request Parameters

None.

Response

If successful, this operation returns HTTP status code 200, with the configuration information for the specified OpenID Connect provider.

Sample Response

The sample response below shows successful completion of this operation, for the sample request to the Google OpenID Connect Provider.

Sample response headers

Content-Type: application/json
Date: Thu, 16 Jul 2015 14:25:20 GMT

Sample response body

{
  "issuer":"http://acmepaymentscorp",
  "authorization_endpoint":"http://acmepaymentscorp/oauth/auz/authorize",
  "token_endpoint":"http://acmepaymentscorp/oauth/oauth20/token",
  "userinfo_endpoint":"http://acmepaymentscorp/oauth/userinfo",
  "jwks_uri":"http://acmepaymentscorp/oauth/jwks",
  "registration_endpoint":"http://acmepaymentscorp.com",
  "scopes_supported":[
    "READ",
    "WRITE",
    "DELETE",
    "openid",
    "scope",
    "profile",
    "email",
    "address",
    "phone"
  ],
  "response_types_supported":[
    "code",
    "code id_token",
    "code token",
    "code id_token token",
    "token",
    "id_token",
    "id_token token"
  ],
  "grant_types_supported":[
    "authorization_code",
    "implicit",
    "password",
    "client_credentials",
    "urn:ietf:params:oauth:grant-type:jwt-bearer"
  ],
  "subject_types_supported":[
    "public"
  ],
  "id_token_signing_alg_values_supported":[
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "id_token_encryption_alg_values_supported":[
    "RSA1_5",
    "RSA-OAEP",
    "RSA-OAEP-256",
    "A128KW",
    "A192KW",
    "A256KW",
    "A128GCMKW",
    "A192GCMKW",
    "A256GCMKW",
    "dir"
  ],
  "id_token_encryption_enc_values_supported":[
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512",
    "A128GCM",
    "A192GCM",
    "A256GCM"
  ],
  "token_endpoint_auth_methods_supported":[
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported":[
    "HS256",
    "RS256"
  ],
  "claims_parameter_supported":false,
  "request_parameter_supported":false,
  "request_uri_parameter_supported":false
}

Response Headers

For general information on response header values, refer to HTTP Response Headers.

Header Description
Content-Type application/json

Response Body

The response body is the configuration file for the provider. Structure of the configuration file, and specific values, vary by provider, but in general it includes the following types of information that an OpenID Connect Relying Party will need:

  • Issuer (OpenID Connect provider)
  • Endpoints:
    • Authorization Endpoint
    • Token Endpoint
    • UserInfo Endpoint
    • Revocation Endpoint
    • JWKS URI
    • Registration Endpoint
  • Response types supported
  • Subject types supported
  • For ID token, signing algorithm values supported
  • Scopes supported
  • For token endpoint, authorization methods supported
  • Claims supported

For additional information about the values returned in the metadata file, see OAuth Well-Known Configuration Information.

Error Codes/Messages

If the call is unsuccessful an error code/message is returned. One or more examples of possible errors for this operation are shown below.

Item Value
404

The resource could not be found. This might happen for one of the following reasons:

  • OpenID Connect is not enabled in the OAuth provider
  • If the host name is not correctly mapped to the OAuth provider
  • The URL is accessed over HTTP but the provider is configured to accept only HTTPS requests
500 An error occurred processing the call.

More information about Akana OAuth API error messages.