WSO2 Identity Server supports OpenID Connect Discovery to discover an end user's OpenID provider, and also to obtain information required to interact with the OpenID provider, including its OAuth 2.0 endpoint locations. For more information, see IssuerDiscovery.
The OpenID Connect discovery endpoint is as follows:
https://localhost:9443/.well-known/webfinger
The following sections provide information and instructions on the following:
OpenID Provider Issuer discovery
OpenID Provider Issuer discovery refers to the process of determining the location of the OpenID Provider.
Tip
In WSO2 Identity Server, the default OpenID Provider Issuer location path is set to oidcdiscovery/.well-known/openid-configuration
.
To move the OpenID provider issuer location path to the root <issuer>/.well-known/openid-configuration
, edit the <IS_HOME>/repository/conf/identity/identity.xml
file, and change the value of <OIDCDiscoveryEPUrl>
to the issuer URL as shown below.
<OIDCDiscoveryEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</OIDCDiscoveryEPUrl>
Configuring the OpenID Provider Issuer location
In WSO2 Identity Server, the resident IdP Entity ID for OpenID Connect can be configured as the OpenID Provider Issuer location. Follow the instructions given below to configure the OpenID Provider Issuer location.
Open the
identity.xm
l file found in the<IS_HOME>/repository/conf/identity/
folder and set the following property to true.<UseEntityIdAsIssuerInOidcDiscovery>true</UseEntityIdasIssuerInOidcDiscovery>
In future releases, the Entity ID will be used as the OpenID Provider Issuer location by default and will not need to be enabled manually using the property mentioned above. Therefore, the
<UseEntityIdAsIssuerInOidcDiscovery>
property will be deprecated in the next release.Log in to the management console.
- Click Resident under Identity Providers on the Main tab.
- Expand the Inbound Authentication Configuration section and then expand OAuth2/OpenID Connect Configuration.
Enter a valid OpenID Provider issuer location as the Identity Provider Entity Id value.
A valid OpenID Provider Issuer location in WSO2 Identity Server has the following format.
OpenID Provider Issuer URL format<Host>/oauth2/{issuer}
<Host>: The host number of WSO2 Identity Server (e.g., https://localhost:9443)
{issuer}: The issuer path component. This value can be either ‘token’ or ‘oidcdiscovery’.
Sample OpenID Provider Issuer locationhttps://localhost:9443/oauth2/token
Obtaining the OpenID Provider Issuer location
Once the issuer location has been configured as instructed in the previous section, you can send a request to the endpoint to obtain the configured OpenID Provider Issuer location or to confirm that it has been set properly.
The following information is required to make a request.
Parameter | Description | Sample Value |
---|---|---|
Resource | Identifier for the target end user that is the subject of the discovery request. | acct:admin@localhost (for super tenant) acct:admin@wso2.com@localhost (for tenant) |
HostServer | Where the WebFinger service is hosted. | localhost |
rel | URI identifying the type of service whose location is being requested. | http://openid.net/specs/connect/1.0/issuer |
By default, all endpoints in the WSO2 Identity Server are secured with basic authentication. You will need authentication details to call an endpoint. By default, you can use admin credentials, or an access token for the request.
- For more information on how to obtain an access token, see Allowed grant types for OAuth2-OpenID Connect.
- For more information on securing the REST API or customizing authentication/authorization for the REST API, see Authenticating and Authorizing REST APIs.
Sample requests and responses are given below:
Request (for super tenant) | Sample Request curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin@localhost&rel=http://openid.net/specs/connect/1.0/issuer' |
---|---|
Response (for super tenant) | { "subject": "acct:admin@localhost", "links": [ { "rel": "http://openid.net/specs/connect/1.0/issuer", "href": "https://localhost:9443/oauth2/token" } ] } |
Request (for tenant: wso2.com) | Sample Request curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin%40wso2.com@localhost&rel=http://openid.net/specs/connect/1.0/issuer' |
Response (for tenant: wso2.com) | { "subject": "acct:admin@wso2.com@localhost", "links": [ { "rel": "http://openid.net/specs/connect/1.0/issuer", "href": "https://localhost:9443/t/wso2.com/oauth2/token" } ] } |
Obtaining the OpenID Provider configuration information
Follow the instructions below to obtain configuration details of the OpenID Proivder.
Once you receive the response as shown in the sample response of the previous section, append "
/.well-known/openid-configuration"
to the href value that you received.https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration
Send a request to the endpoint as shown below.
Request Sample Requestcurl -v -k --user admin:admin https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration
Response Sample Response{ "scopes_supported": [ "address", "phone", "email", "profile", "openid" ], "check_session_iframe": "https://localhost:9443/oidc/checksession", "issuer": "https://localhost:9443/oauth2/token", "authorization_endpoint": "https://localhost:9443/oauth2/authorize", "claims_supported": [ "formatted", "name", "phone_number", "given_name", "picture", "region", "street_address", "postal_code", "zoneinfo", "locale", "profile", "locality", "sub", "updated_at", "email_verified", "nickname", "middle_name", "email", "family_name", "website", "birthdate", "address", "preferred_username", "phone_number_verified", "country", "gender", "iss", "acr" ], "token_endpoint": "https://localhost:9443/oauth2/token", "response_types_supported": [ "id_token token", "code", "id_token", "token" ], "end_session_endpoint": "https://localhost:9443/oidc/logout", "userinfo_endpoint": "https://localhost:9443/oauth2/userinfo", "jwks_uri": "https://localhost:9443/oauth2/jwks", "subject_types_supported": [ "pairwise" ], "id_token_signing_alg_values_supported": [ "RS256" ], "registration_endpoint": "https://localhost:9443/identity/connect/register" }