OpenID Configuration
OpenID Configuration Endpoint aka .well-known/openid-configuration#
The Configuration Endpoint returns both the OP server metadata, and OAuth AS metdata, most of which is defined in the OpenID Discovery Spec, although other configuration metadata is defined in other OpenID specifications, or in OAuth specifications.
If you want to customize the configuration response, you can use the OpenID Config Interception Script, which enables you to filter the results, modify claim values, or add claims.
If you want to explicitly allow only certain OpenID Metadata claims, you can
supply a list of the claims in the opConfigMetadataAllowList Auth Server
Property.
Below is a list of all the current available claims, and where they are specified.
| Claim | Origin |
|---|---|
| access_token_signing_alg_values_supported | ? |
| acr_values_supported | OpenID |
| authorization_encryption_alg_values_supported | ? |
| authorization_encryption_enc_values_supported | ? |
| authorization_endpoint | OpenID |
| authorization_signing_alg_values_supported | ? |
| backchannel_authentication_endpoint | ? |
| backchannel_logout_session_supported | ? |
| backchannel_logout_supported | ? |
| backchannel_token_delivery_modes_supported | ? |
| backchannel_user_code_parameter_supported | ? |
| check_session_iframe | ? |
| claim_types_supported | ? |
| claims_locales_supported | ? |
| claims_parameter_supported | ? |
| claims_supported | OpenID |
| clientinfo_endpoint | ? |
| device_authorization_endpoint | ? |
| display_values_supported | ? |
| dpop_signing_alg_values_supported | ? |
| end_session_endpoint | ? |
| frontchannel_logout_session_supported | ? |
| frontchannel_logout_supported | ? |
| grant_types_supported | ? |
| id_token_encryption_alg_values_supported | ? |
| id_token_encryption_enc_values_supported | ? |
| id_token_signing_alg_values_supported | ? |
| id_token_token_binding_cnf_values_supported | ? |
| introspection_endpoint | ? |
| issuer | OpenID |
| jwks_uri | OpenID |
| op_tos_uri | OpenID |
| pushed_authorization_request_endpoint | ? |
| registration_endpoint | OpenID |
| request_object_encryption_alg_values_supported | OpenID |
| request_object_encryption_enc_values_supported | OpenID |
| request_object_signing_alg_values_supported | OpenID |
| request_parameter_supported | OpenID |
| request_uri_parameter_supported | OpenID |
| require_pushed_authorization_requests | ? |
| require_request_uri_registration | ? |
| response_modes_supported | OpenID |
| response_types_supported | OpenID |
| revocation_endpoint | ? |
| scopes_supported | ? |
| service_documentation | ? |
| session_revocation_endpoint | ? |
| ssa_endpoint | Janssen |
| subject_types_supported | OpenID |
| tls_client_certificate_bound_access_tokens | ? |
| token_endpoint | OpenID |
| token_endpoint_auth_methods_supported | OpenID |
| token_endpoint_auth_signing_alg_values_supported | OpenID |
| ui_locales_supported | OpenID |
| userinfo_encryption_alg_values_supported | OpenID |
| userinfo_encryption_enc_values_supported | OpenID |
| userinfo_endpoint | OpenID |
| userinfo_signing_alg_values_supported | OpenID |
Notes on specific OP Server Metadata claims#
-
claims_supported Each user claim (in Jans jargon, "Attribute") has a property called
jansHideOnDiscovery--if you don't want a claim to appear in.well-known/openid-configuration, set this totruefor the Attribute entity. -
ssa_endpoint This is the endpoint which issues Software Statement Assertions JWT's. It is an OAuth protected endpoint.
Created: 2022-07-21
