This documentation is for WSO2 Identity Server 5.5.0 . View documentation for the latest release.

All docs This doc
||
Skip to end of metadata
Go to start of metadata

WSO2 Identity Server supports OpenID Connect Discovery to discover an end user's OpenID provider, and also to obtain information required to interact with the OpenID provider, including its OAuth 2.0 endpoint locations. For more information, see IssuerDiscovery

The OpenID Connect Discovery endpoint is as follows:

https://localhost:9443/.well-known/webfinger

Tip

In WSO2 Identity Server, the default OIDC discovery endpoint url is set to the path oidcdiscovery/.well-known/openid-configuration.

If you want to change the OIDC discovery endpoint path to root <issuer>/.well-known/openid-configuration, you need to apply the WUM update for WSO2 IS 5.5.0, released on the 1st of August 2018, and then follow the step below:

  • Edit the <IS_HOME>/repository/conf/identity/identity.xml file, and change the value of <OIDCDiscoveryEPUrl> to the issuer url as follows:

    <OIDCDiscoveryEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</OIDCDiscoveryEPUrl>


The following information is required to make a request.

ParameterDescriptionSample Value
ResourceIdentifier for the target end user that is the subject of the discovery request.acct:[email protected] (for super tenant)
acct:[email protected]@localhost (for tenant)
HostServerWhere the WebFinger service is hosted.localhost
relURI identifying the type of service whose location is being requested.http://openid.net/specs/connect/1.0/issuer

By default, all endpoints in the WSO2 Identity Server are secured with basic authentication. You will need authentication details to call the endpoints. By default, you can use admin credentials or an access token for the request.

Sample requests and responses are given below. 

Request #1 (for super tenant)
Sample Request
curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:[email protected]&rel=http://openid.net/specs/connect/1.0/issuer'
Response #1 (for super tenant)

If you use the default OIDC discovery endpoint path of of WSO2 Identity Server, the response will be as follows:

{
   "subject": "acct:[email protected]",
   "links": [
      {
         "rel": "http://openid.net/specs/connect/1.0/issuer",
         "href": "https://localhost:9443/oauth2/oidcdiscovery"
      }
   ]
}

If you apply the WUM update and change the OIDC discovery endpoint path to root <issuer>/.well-known/openid-configuration, the response will be as follows:

{
   "subject": "acct:[email protected]",
   "links": [
      {
         "rel": "http://openid.net/specs/connect/1.0/issuer",
         "href": "https://localhost:9443/oauth2/token"
      }
   ]
}
Request #1 (for tenant: wso2.com)
Sample Request
curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin%[email protected]&rel=http://openid.net/specs/connect/1.0/issuer'
Response #1 (for tenant: wso2.com)

If you use the default OIDC discovery endpoint path of of WSO2 Identity Server, the response will be as follows:

{
   "subject": "acct:[email protected]@localhost",
   "links": [
      {
         "rel": "http://openid.net/specs/connect/1.0/issuer",
         "href": "https://localhost:9443/t/wso2.com/oauth2/oidcdiscovery"
      }
   ]
}

If you apply the WUM update and change the OIDC discovery endpoint path to root <issuer>/.well-known/openid-configuration, the response will be as follows:

{
   "subject": "acct:[email protected]@localhost",
   "links": [
      {
         "rel": "http://openid.net/specs/connect/1.0/issuer",
         "href": "https://localhost:9443/t/wso2.com/oauth2/token"
      }
   ]
}
Request #2

Once you receive the response shown above, append /.well-known/openid-configuration to the href received.

If you use the default OIDC discovery endpoint path of of WSO2 Identity Server, the request will be as follows:

Sample Request
curl -v -k --user admin:admin https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration

If you apply the WUM update and change the OIDC discovery endpoint path to root <issuer>/.well-known/openid-configuration, the request will be as follows:

Sample Request
curl -v -k --user admin:admin https://localhost:9443/oauth2/token/.well-known/openid-configuration
Response #2
Sample Response
{
    "scopes_supported": [
        "address",
        "phone",
        "email",
        "profile",
        "openid"
    ],
    "check_session_iframe": "https://localhost:9443/oidc/checksession",
    "issuer": "https://localhost:9443/oauth2/token",
    "authorization_endpoint": "https://localhost:9443/oauth2/authorize",
    "claims_supported": [
        "formatted",
        "name",
        "phone_number",
        "given_name",
        "picture",
        "region",
        "street_address",
        "postal_code",
        "zoneinfo",
        "locale",
        "profile",
        "locality",
        "sub",
        "updated_at",
        "email_verified",
        "nickname",
        "middle_name",
        "email",
        "family_name",
        "website",
        "birthdate",
        "address",
        "preferred_username",
        "phone_number_verified",
        "country",
        "gender",
        "iss",
        "acr"
    ],
    "token_endpoint": "https://localhost:9443/oauth2/token",
    "response_types_supported": [
        "id_token token",
        "code",
        "id_token",
        "token"
    ],
    "end_session_endpoint": "https://localhost:9443/oidc/logout",
    "userinfo_endpoint": "https://localhost:9443/oauth2/userinfo",
    "jwks_uri": "https://localhost:9443/oauth2/jwks",
    "subject_types_supported": [
        "pairwise"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "registration_endpoint": "https://localhost:9443/identity/connect/register"
}
  • No labels