Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSO2 Identity Server supports supports OpenID Connect Discovery to  to discover an end user's OpenID provider, and also to obtain information required to interact with the OpenID provider, including its OAuth 2.0 endpoint locations. For more information, see IssuerDiscovery

...

Code Block
https://localhost:9443/.well-known/webfingeroidcdiscovery

The following sections provide information and instructions on the following:

Table of Contents

OpenID Provider Issuer discovery

OpenID Provider Issuer discovery refers to the process of determining the location of the OpenID Provider. 

Tip
titleTip

In WSO2 Identity Server, the default OIDC discovery endpoint url OpenID Provider Issuer location path is set to the path to oidcdiscovery/.well-known/openid-configuration. 

If you want to To move the OIDC discovery endpoint OpenID provider issuer location path to the root <issuer>/.well-known/openid-configuration, edit the <IS_HOME>/repository/conf/identity/identity.xml file, and change the value of <OIDCDiscoveryEPUrl> to the issuer url as follows:URL as shown below.

Code Block
<OIDCDiscoveryEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</OIDCDiscoveryEPUrl>
Configuring the OpenID Provider Issuer location 

In WSO2 Identity Server, the resident IdP Entity ID for OpenID Connect can be configured as the OpenID Provider Issuer location. Follow the instructions given below to configure the OpenID Provider Issuer location. 

  1. Open the identity.xml file found in the <IS_HOME>/repository/conf/identity/ folder and set the following property to true.

    Code Block
    <UseEntityIdAsIssuerInOidcDiscovery>true</UseEntityIdasIssuerInOidcDiscovery>
    Warning

    In future releases, the Entity ID will be used as the OpenID Provider Issuer location by default and will not need to be enabled manually using the property mentioned above. Therefore, the <UseEntityIdAsIssuerInOidcDiscovery> property will be deprecated in the next release.

  2. Log in to the management console. 

  3. Click Resident under Identity Providers on the Main tab. 
  4. Expand the Inbound Authentication Configuration section and then expand OAuth2/OpenID Connect Configuration. 

  5. Enter a valid OpenID Provider issuer location as the Identity Provider Entity Id value. 
    Image Added

    Tip

    A valid OpenID Provider Issuer location in WSO2 Identity Server has the following format.

    Code Block
    titleOpenID Provider Issuer URL format
    <Host>/oauth2/{issuer}

    • <Host>: The host number of WSO2 Identity Server (e.g., https://localhost:9443)

    • {issuer}: The issuer path component. This value can be either ‘token’ or ‘oidcdiscovery’.

    Code Block
    titleSample OpenID Provider Issuer location
    https://localhost:9443/oauth2/token
Obtaining the OpenID Provider Issuer location

Once the issuer location has been configured as instructed in the previous section, you can send a request to the endpoint to obtain the configured OpenID Provider Issuer location.

The following information is required to make a request.

ParameterDescriptionSample Value
ResourceIdentifier for the target end user that is the subject of the discovery request.acct:admin@localhost (for super tenant)
acct:admin@wso2admin@wso2.com@localhost com@localhost (for tenant)
HostServerWhere the WebFinger service is hosted.localhost
relURI identifying the type of service whose location is being requested.http://openid.net/specs/connect/1.0/issuer
Info

By default, all endpoints in the WSO2 Identity Server are secured with basic authentication. You will need authentication details to call an endpoint. By default, you can use admin credentials, or an access token for the request.

Sample requests and responses are given below:

Request #2
Request #1 (for super tenant)
Code Block
titleSample Request
curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin@localhost&rel=http://openid.net/specs/connect/1.0/issuer'
Response #1 (for super tenant)
Code Block
{
   "subject": "acct:admin@localhost",
   "links": [
      {
         "rel": "http://openid.net/specs/connect/1.0/issuer",
         "href": "https://localhost:9443/oauth2/token"
      }
   ]
}
Request #1 (for tenant: wso2.com)
Code Block
titleSample Request
curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin%40wso2.com@localhost&rel=http://openid.net/specs/connect/1.0/issuer'
Response #1 (for tenant: wso2.com)
Code Block
{
   "subject": "acct:admin@wso2.com@localhost",
   "links": [
      {
         "rel": "http://openid.net/specs/connect/1.0/issuer",
         "href": "https://localhost:9443/t/wso2.com/oauth2/token"
      }
   ]
}

Obtaining the OpenID Provider configuration information

Follow the instructions below to obtain configuration details of the OpenID Proivder.

  1. Once you receive the response

...

  1. as shown in the sample response of the previous section, append "/.well-known/openid-configuration

...

  1. " to the href value that you received.  

    Code Block
    https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration

  2. Send a request to the endpoint as shown below. 

    Request
    Code Block
    titleSample Request
    curl -v -k --user admin:admin https://localhost:9443/oauth2/

...

  1. oidcdiscovery/.well-known/openid-configuration
    Response

...

  1. Code Block
    titleSample Response 
    {
    "scopes_supported": [
        "address",
        "phone",
        "email",
        "profile",
        "openid"
    ],
    "check_session_iframe": "https://localhost:9443/oidc/checksession",
    "issuer": "https://localhost:9443/oauth2/token",
    "authorization_endpoint": "https://localhost:9443/oauth2/authorize",
    "claims_supported": [
        "formatted",
        "name",
        "phone_number",
        "given_name",
        "picture",
        "region",
        "street_address",
        "postal_code",
        "zoneinfo",
        "locale",
        "profile",
        "locality",
        "sub",
        "updated_at",
        "email_verified",
        "nickname",
        "middle_name",
        "email",
        "family_name",
        "website",
        "birthdate",
        "address",
        "preferred_username",
        "phone_number_verified",
        "country",
        "gender",
        "iss",
        "acr"
    ],
    "token_endpoint": "https://localhost:9443/oauth2/token",
    "response_types_supported": [
        "id_token token",
        "code",
        "id_token",
        "token"
    ],
    "end_session_endpoint": "https://localhost:9443/oidc/logout",
    "userinfo_endpoint": "https://localhost:9443/oauth2/userinfo",
    "jwks_uri": "https://localhost:9443/oauth2/jwks",
    "subject_types_supported": [
        "pairwise"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "registration_endpoint": "https://localhost:9443/identity/connect/register"
}