Discover OpenID Connect Provider¶
This page guides you through using OpenID Connect Discovery to discover an end user's OpenID provider, and to obtain information required to interact with the OpenID provider, including its OAuth 2.0 endpoint locations.
You can use this OIDC Discovery document to automatically configure applications. The OpenID Connect discovery endpoint is as follows:
https://localhost:9443/oauth2/oidcdiscovery
OpenID Provider issuer discovery¶
OpenID Provider Issuer discovery refers to the process of determining the location of the OpenID Provider.
To move the OpenID Provider configuration information to https://<HOST>:<PORT>/oauth2/token/.well-known/openid-configuration
, add the following configuration to the <IS_HOME>/repository/conf/deployment.toml
file.
[oauth.endpoints]
oidc_discovery_url= "${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token"
Configure the OpenID Provider issuer location¶
In MWARE IAM, the resident IdP Entity ID for OpenID Connect can be configured as the OpenID Provider Issuer location.
-
Log in to the management console.
-
Click Identity Providers > Resident.
-
Expand Inbound Authentication Configuration section and then OAuth2/OpenID Connect Configuration.
-
Enter a valid OpenID Provider issuer location as the Identity Provider Entity Id value.
Tip
A valid OpenID Provider Issuer location in MWARE IAM has the following format.
{host}/oauth2/{issuer}
-
{host}: The host number of MWARE IAM (e.g.,https://localhost:9443)
-
{issuer}: The issuer path component. This value can be either
token
oroidcdiscovery
. -
Sample OpenID Provider Issuer location:
https://localhost:9443/oauth2/token
-
Obtain OpenID Provider issuer location¶
Once the issuer location has been configured, you can send a request to the endpoint to obtain the configured OpenID Provider issuer location. The following information is required to make a request.
Parameter | Description | Sample Value |
---|---|---|
Resource | Identifier for the target end user that is the subject of the discovery request. | acct:admin@localhost (for super tenant) acct:admin@ wso2.com@localhostĀ (for tenant) |
HostServer | Where the WebFinger service is hosted. | localhost |
rel | URI identifying the type of service whose location is being requested. | http://openid.net/specs/connect/1.0/issuer |
Sample requests and responses are given below.
Super tenant
Request
curl -v -k https://localhost:9443/.well-known/webfinger?resource='acct:admin@localhost&rel=http://openid.net/specs/connect/1.0/issuer'
Response
{
"subject": "acct:admin@localhost",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://localhost:9443/oauth2/token"
}
]
}
Tenant-specific
The following sample request is for a tenant called as wso2.com
.
Request
curl -v -k https://localhost:9443/.well-known/webfinger?resource='acct:admin%40wso2.com@localhost&rel=http://openid.net/specs/connect/1.0/issuer'
Response
{
"subject": "acct:admin@wso2.com@localhost",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://localhost:9443/t/wso2.com/oauth2/token"
}
]
}
Obtain OpenID Provider configuration information¶
Follow the steps below to obtain configuration details of the OpenID Provider.
-
Once you receive the response as shown in the sample response of the previous section, append
/.well-known/openid-configuration
to the href value that you received in the previous step.https://localhost:9443/oauth2/token/.well-known/openid-configuration
-
Send a request to the endpoint as shown below.
Request
curl -v -k https://localhost:9443/oauth2/token/.well-known/openid-configuration
Response
{ "request_parameter_supported":true, "claims_parameter_supported":true, "introspection_endpoint":"https://localhost:9443/oauth2/introspect", "Response_modes_supported":[ "query", "fragment", "form_post" ], "scopes_supported":[ "address", "phone", "openid", "profile", "email" ], "check_session_iframe":"https://localhost:9443/oidc/checksession", "backchannel_logout_supported":true, "issuer":"https://localhost:9443/oauth2/token", "authorization_endpoint":"https://localhost:9443/oauth2/authorize", "introspection_endpoint_auth_methods_supported":[ "client_secret_basic", "client_secret_post" ], "claims_supported":[ "zoneinfo", "profile", "phone_number_verified", "picture", "postal_code", "name", "groups", "locale", "address", "preferred_username", "middle_name", "street_address", "country", "website", "phone_number", "formatted", "gender", "sub", "nickname", "email", "upn", "birthdate", "given_name", "updated_at", "locality", "region", "email_verified", "family_name", "iss", "acr" ], "userinfo_signing_alg_values_supported":[ "RS256" ], "token_endpoint_auth_methods_supported":[ "client_secret_basic", "client_secret_post" ], "response_modes_supported":[ "query", "fragment", "form_post" ], "backchannel_logout_session_supported":true, "token_endpoint":"https://localhost:9443/oauth2/token", "response_types_supported":[ "id_token token", "code", "code id_token token", "code id_token", "id_token", "code token", "none", "token" ], "revocation_endpoint_auth_methods_supported":[ "client_secret_basic", "client_secret_post" ], "grant_types_supported":[ "refresh_token", "urn:ietf:params:oauth:grant-type:saml2-bearer", "password", "client_credentials", "iwa:ntlm", "authorization_code", "urn:ietf:params:oauth:grant-type:uma-ticket", "account_switch", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "end_session_endpoint":"https://localhost:9443/oidc/logout", "revocation_endpoint":"https://localhost:9443/oauth2/revoke", "userinfo_endpoint":"https://localhost:9443/oauth2/userinfo", "code_challenge_methods_supported":[ "S256", "plain" ], "jwks_uri":"https://localhost:9443/oauth2/jwks", "subject_types_supported":[ "public" ], "id_token_signing_alg_values_supported":[ "RS256" ], "registration_endpoint":"https://localhost:9443/api/identity/oauth2/dcr/v1.1/register", "request_object_signing_alg_values_supported":[ "RS256", "RS384", "RS512", "PS256", "none" ] }
Related topics