OpenID Connect Discovery

OpenID Connect Discovery

ISAM provides an endpoint for discovery which is the metadeta endpoint. However, the specification strictly states the discovery endpoint is /.well-known/openid-configuration appended to the issuer endpoint.
We can use HTTP transformation rule to route requests to /.well-known/openid-configuration endpoint.
An example is attached with the compressed files.
For information, refer to the OIDC Conformance-Example 1.7 in the oidc_op_conformance.zip file.
Create an HTTP Transformation rule using the httptransform.xsl and call it httptransform. In the following example, API definition's issuer is configured to be https://www.myidp.ibm.com/test. The WebSEAL configuration must be updated.
[http-transformations] updateuri = httptransform [http-transformations:updateuri] request-match = request:GET /test/.well-known/openid-configuration*

Also, there are some optional discovery parameters, which are required for conformance. To add these values, the metadata.json under Federation or AAC, Template Files can be modified. The modification that must be made are as follows:

Add "claims_supported"with the following values:
["realmName","preferred_username","given_name","uid","upn","groupIds", "employee_id","name","tenantId","mobile_number","department","job_title", "family_name","email"]

Add "userinfo_signing_alg_values_supported" with this value: ["RS256"]
Add "request_parameter_supported" with the following value :
<%var supported = true;templateContext.response.body.write(supported);%>

For achieving key rotation in IBM Security Verify Access, we add a new key to the rt_profile_keys (used as a default keystore). Since the jwks lists keys to "use" during signing only, to list down the keys to "use" during encryption, we use the jwks_uri which is https://<runtime_host>/sps/jwks.

Parent topic: Achieving OpenID Connect Provider conformance with IBM Security Verify Access