Configure an OpenID Connect Provider to accept discovery requests

The discovery configuration endpoint makes information available about the capabilities supported by the OpenID Connect Provider (OP) server. Metadata is based on and extends the OIDC Discovery 1.0 specification provider metadata. The service returns a set of default configurations if nothing is specified. Otherwise, refer to the list of properties to understand their purpose and possible configurable options.

We can override the default values for selected properties in the discovery configuration service. This action is performed by specifying the values in server.xml.

Configurable properties...

Attribute Name	Data Type	Required/Optional	Description
responseTypesSupported	Input	Optional	The response types supported by the OpenID Connect Provider (OP) server. Unless specified, the default values are code, token, and id_token token. More than 1 value can be specified. These values are strings. For example, possible values are: code token id_token token
subjectTypesSupported	Output only	N/A	The subject types supported by the OP server. This value is set to public. This value is a string.
idTokenSigningAlgValuesSupported	Output only	Optional	The ID token signing algorithms supported by the OP server. This value is specified as the server attribute signatureAlgorithm in the openidConnectProvider server configuration. Unless specified, the default value is HS256. Only 1 value can be specified. This is a string. For example, possible values for attribute signatureAlgorithm in the openidConnectProvider configuration: none RS256 HS256
scopesSupported	Input	Optional	The scope values supported by the OP server. Unless specified, the default values are openid, general, profile, email, address, and phone. More than 1 value can be specified. These values are strings. For example, possible values are: openid general profile email address phone
claimsSupported	Input	Optional	The claims values supported by the OP server. Unless specified, the default values are sub, groupIds, name, preferred_username, picture, locale, email, and profile. More than 1 value can be specified. These values are strings. For example, possible values are: sub groupIds name preferred_username picture locale email profile
responseModesSupported	Input	Optional	The response modes supported by the OP server. Unless specified, the default values are query and fragment. More than 1 value can be specified. These values are strings. query fragment
grantTypesSupported	Input	Optional	The grant types supported by the OP server. Unless specified, the default values are authorization_code, implicit, refresh_token, client_credentials, password, and urn:ietf:params:oauth:grant-type:jwtbearer. More than 1 value can be specified. These values are strings. For example, possible values are: authorization_code implicit refresh_token client_credentials password urn:ietf:params:oauth:grant-type:jwtbearer
tokenEndpointAuthMethodsSupported	Input	Optional	The token endpoint authorization methods supported by the OP server. Unless specified, the default values are client_secret_post, and client_secret_basic. More than 1 value can be specified. These values are strings. For example, possible values are: none client_secret_post client_secret_basic
displayValuesSupported	Output only	N/A	The display values supported by the OP server. This value is set to page. This value is a string.
claimTypesSupported	Output only	N/A	The claim type values supported by the OP server. This value is set to normal. This value is a string.
claimsParameterSupported	Input	Optional	Indication of whether claims parameter is supported by the OP server. Unless specified, the default value is false. Only 1 value can be specified. This is a Boolean value. For example, possible values are: true false
requestParameterSupported	Input	Optional	Indication of whether a request parameter is supported by the OP server. Unless specified, the default value is false. Only 1 value can be specified. This is a Boolean value. For example, possible values are: true false
requestUriParameterSupported	Input	Optional	Indication of whether request URI parameter is supported by the OP server. Unless specified, the default value is false. Only 1 value can be specified. This is a Boolean value. For example, possible values are: true false
requireRequestUriRegistration	Input	Optional	Indication of whether require request URI registration is supported by the OP server. Unless specified, the default value is false. Only 1 value can be specified. This is a Boolean value. For example, possible values are: true false

Examples of discovery configuration

The following example assumes that the Liberty OP is configured with SSL on port 443.

https://server.example.com:443/oidc/endpoint/<provider_name>/

The discovery configuration endpoint is accessible at:

https://server.example.com:443/oidc/endpoint/<provider_name>/.well-known/openid-configuration

For example, in server.xml, a user can customize their OpenID Connect discovery configuration properties in the following manner:

<openidConnectProvider id="OidcConfigSample" 
                       oauthProviderRef="OAuthConfigSample">

 <discovery
  responseTypesSupported="token, id_token token" 
  subjectTypesSupported="public" 
  scopesSupported="openid, general, profile"
  claimsSupported="sub, groupIds, name" 
  responseModesSupported="query"
  grantTypesSupported="implicit"
  tokenEndpointAuthMethodsSupported="client_secret_basic" 
  displayValuesSupported="page"
  claimTypesSupported="normal" 
  claimsParameterSupported="true"
  requestParameterSupported="true" 
  requestUriParameterSupported="true"
  requireRequestUriRegistration="true"
 />

</openidConnectProvider>

<oauthProvider id="OAuthConfigSample">
</oauthProvider>

Example of customized discovery configuration

Request Headers:
GET https://server.example.com:443/oidc/endpoint/<provider_name>/.well-known/openid-configuration

Response Headers:
Status: 200
Content-Type: application/json
Cache-Control:public, max-age=3600

Response Body:
{  
   "introspection_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/introspect",    
   "coverage_map_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/coverage_map",    
   "issuer":"https://server.example.com:443/oidc/endpoint/<provider_name>",    
   "authorization_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/authorize",    
   "token_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/token",    
   "response_types_supported":[  "token",   "id_token token" ],    
   "subject_types_supported":[  "public" ],    
   "userinfo_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/userinfo",    
   "scopes_supported":[ "openid", "general",   "profile" ],    
   "claims_supported":[ "sub", "groupIds", "name" ],    
   "response_modes_supported":[ "query" ],    
   "grant_types_supported":[  "implicit" ],    
   "token_endpoint_auth_methods_supported":[ "client_secret_basic" ],    
   "display_values_supported":[ "page" ],    
   "claim_types_supported":[ "normal" ],    
   "claims_parameter_supported":true,    
   "request_parameter_supported":true,    
   "request_uri_parameter_supported":true,    
   "require_request_uri_registration":true,    
   "check_session_iframe":"https://server.example.com:443/oidc/endpoint/<provider_name>/check_session_iframe",    
   "end_session_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/end_session"
}

Example of default discovery configuration

Request Headers:
GET https://server.example.com:443/oidc/endpoint/<provider_name>/.well-known/openid-configuration

Response Headers:
Status: 200
Content-Type: application/json
Cache-Control:public, max-age=3600

Response Body:
{  
   "introspection_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/introspect",    
   "coverage_map_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/coverage_map",    
   "issuer":"https://server.example.com:443/oidc/endpoint/<provider_name>",    
   "authorization_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/authorize",    
   "token_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/token",    
   "response_types_supported":[  "code",   "token",   "id_token token" ],    
   "subject_types_supported":[  "public" ],    
   "userinfo_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/userinfo",    
   "registration_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/registration",  
   "scopes_supported":[ "openid", "general", "profile", "email", "address", "phone" ],    
   "claims_supported":[  "sub", "groupIds", "name", "preferred_username", "picture", "locale", "email", "profile" ],    
   "response_modes_supported":[ "query", "fragment" ],    
   "grant_types_supported":[ 
       "authorization_code", 
       "implicit",  
       "refresh_token", 
       "client_credentials", 
       "password", "urn:ietf:params:oauth:grant-type:jwt-bearer" ],    
   "token_endpoint_auth_methods_supported":[ 
       "client_secret_post", "client_secret_basic" ],    
       "display_values_supported":[ "page"],    
       "claim_types_supported":[ "normal" ],    
       "claims_parameter_supported":false, 
       "request_parameter_supported":false,    
       "request_uri_parameter_supported":false,    
       "require_request_uri_registration":false,    
       "check_session_iframe":"https://server.example.com:443/oidc/endpoint/<provider_name>/check_session_iframe",    
       "end_session_endpoint":"https://server.example.com:443/oidc/endpoint/<provider_name>/end_session"
}

Parent topic:

Configure an OpenID Connect Provider