Skip to content

Discover OpenID Connect Provider

This page guides you through using OpenID Connect Discovery to discover an end user's OpenID provider, and to obtain information required to interact with the OpenID provider, including its OAuth 2.0 endpoint locations.

You can use this OIDC Discovery document to automatically configure applications. The OpenID Connect discovery endpoint is as follows:


OpenID Provider issuer discovery

OpenID Provider Issuer discovery refers to the process of determining the location of the OpenID Provider.

To move the OpenID Provider configuration information to https://<HOST>:<PORT>/oauth2/token/.well-known/openid-configuration, add the following configuration to the <IS_HOME>/repository/conf/deployment.toml file.

oidc_discovery_url= "${carbon.protocol}://${}:${}/oauth2/token"

Configure the OpenID Provider issuer location

In MWARE IAM, the resident IdP Entity ID for OpenID Connect can be configured as the OpenID Provider Issuer location.

  1. Log in to the management console.

  2. Click Identity Providers > Resident.

  3. Expand Inbound Authentication Configuration section and then OAuth2/OpenID Connect Configuration.

  4. Enter a valid OpenID Provider issuer location as the Identity Provider Entity Id value.



    A valid OpenID Provider Issuer location in MWARE IAM has the following format.

    • {host}: The host number of MWARE IAM (e.g.,https://localhost:9443)

    • {issuer}: The issuer path component. This value can be either token or oidcdiscovery.

    • Sample OpenID Provider Issuer location: https://localhost:9443/oauth2/token

Obtain OpenID Provider issuer location

Once the issuer location has been configured, you can send a request to the endpoint to obtain the configured OpenID Provider issuer location. The following information is required to make a request.

Parameter Description Sample Value
Resource Identifier for the target end user that is the subject of the discovery request. acct:admin@localhost (for super tenant)
acct:admin@Ā (for tenant)
HostServer Where the WebFinger service is hosted. localhost
rel URI identifying the type of service whose location is being requested.

Sample requests and responses are given below.

Super tenant


curl -v -k https://localhost:9443/.well-known/webfinger?resource='acct:admin@localhost&rel='


  "subject": "acct:admin@localhost",
  "links": [
        "rel": "",
        "href": "https://localhost:9443/oauth2/token"


The following sample request is for a tenant called as


curl -v -k https://localhost:9443/.well-known/webfinger?resource=''
"subject": "",
"links": [
        "rel": "",
        "href": "https://localhost:9443/t/"

Obtain OpenID Provider configuration information

Follow the steps below to obtain configuration details of the OpenID Provider.

  1. Once you receive the response as shown in the sample response of the previous section, append /.well-known/openid-configuration to the href value that you received in the previous step.

  2. Send a request to the endpoint as shown below.


    curl -v -k https://localhost:9443/oauth2/token/.well-known/openid-configuration


            "id_token token",
            "code id_token token",
            "code id_token",
            "code token",