WSO2 Identity Server supports OpenID Connect Discovery to discover an end user's OpenID provider, and also to obtain information required to interact with the OpenID provider, including its OAuth 2.0 endpoint locations. For more information, see IssuerDiscovery.
The OpenID Connect discovery endpoint is as follows:
https://localhost:9443/.well-known/webfinger
Tip
In WSO2 Identity Server, the default OIDC discovery endpoint url is set to the path oidcdiscovery/.well-known/openid-configuration.
If you want to move the OIDC discovery endpoint path to the root <issuer>/.well-known/openid-configuration, edit the <IS_HOME>/repository/conf/identity/identity.xml file, and change the value of <OIDCDiscoveryEPUrl> to the issuer url as follows:
<OIDCDiscoveryEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</OIDCDiscoveryEPUrl>
The following information is required to make a request.
| Parameter | Description | Sample Value |
|---|---|---|
| Resource | Identifier for the target end user that is the subject of the discovery request. | acct:admin@localhost (for super tenant) acct:admin@wso2.com@localhost (for tenant) |
| HostServer | Where the WebFinger service is hosted. | localhost |
| rel | URI identifying the type of service whose location is being requested. | http://openid.net/specs/connect/1.0/issuer |
By default, all endpoints in the WSO2 Identity Server are secured with basic authentication. You will need authentication details to call an endpoint. By default, you can use admin credentials, or an access token for the request.
- For more information on how to obtain an access token, see Allowed grant types for OAuth2-OpenID Connect.
- For more information on securing the REST API or customizing authentication/authorization for the REST API, see Authenticating and Authorizing REST APIs.
Sample requests and responses are given below:
| Request #1 (for super tenant) | Sample Request curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin@localhost&rel=http://openid.net/specs/connect/1.0/issuer' |
|---|---|
| Response #1 (for super tenant) | {
"subject": "acct:admin@localhost",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://localhost:9443/oauth2/token"
}
]
}
|
| Request #1 (for tenant: wso2.com) | Sample Request curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin%40wso2.com@localhost&rel=http://openid.net/specs/connect/1.0/issuer' |
| Response #1 (for tenant: wso2.com) | {
"subject": "acct:admin@wso2.com@localhost",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://localhost:9443/t/wso2.com/oauth2/token"
}
]
}
|
| Request #2 | Once you receive the response shown above, append Sample Request curl -v -k --user admin:admin https://localhost:9443/oauth2/token/.well-known/openid-configuration |
| Response #2 | Sample Response {
"scopes_supported": [
"address",
"phone",
"email",
"profile",
"openid"
],
"check_session_iframe": "https://localhost:9443/oidc/checksession",
"issuer": "https://localhost:9443/oauth2/token",
"authorization_endpoint": "https://localhost:9443/oauth2/authorize",
"claims_supported": [
"formatted",
"name",
"phone_number",
"given_name",
"picture",
"region",
"street_address",
"postal_code",
"zoneinfo",
"locale",
"profile",
"locality",
"sub",
"updated_at",
"email_verified",
"nickname",
"middle_name",
"email",
"family_name",
"website",
"birthdate",
"address",
"preferred_username",
"phone_number_verified",
"country",
"gender",
"iss",
"acr"
],
"token_endpoint": "https://localhost:9443/oauth2/token",
"response_types_supported": [
"id_token token",
"code",
"id_token",
"token"
],
"end_session_endpoint": "https://localhost:9443/oidc/logout",
"userinfo_endpoint": "https://localhost:9443/oauth2/userinfo",
"jwks_uri": "https://localhost:9443/oauth2/jwks",
"subject_types_supported": [
"pairwise"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"registration_endpoint": "https://localhost:9443/identity/connect/register"
}
|