Relying party authentication metadata

Metadata is the discovery information the OpenID Provider (OP) exposes.

If metadata is configured, the Relying Party (RP) uses it as the source of the /authorize, /token, /jwks, and /userinfo URLs for the RP. The RP uses other metadata fields, including supported signing algorithms and supported response types. If the RP is configured for a particular response_type and signing algorithm, which are not included in the metadata, the metadata is still used. The OP advertises that it supports this action.

The RP overwrites any configured field with the metadata it retrieves. In some cases, the RP does not even prompt for configuration if it knows that metadata is provided. For example, it is impossible to provide an /authorize URL when we use metadata because metadata must expose /authorize.

In other instances, the RP permits us to elect which value to use, but ignores that value at run time if the value is incompatible with the metadata. For example, if we select ES256 as the signing algorithm, but the OP supports only RS256, the RP expects an RS256 signed JWT (not an ES256 signed JWT) because the OP advertises that it does not provide an ES algorithm. However, if the OP does support ES256, ES384 and ES512, and we select ES256, then this signature algorithm is used because it is an elected and compatible preference.

See the OpenID Connect specification for metadata definition: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Parent topic: Authentication with OpenID Connect Relying Party