This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.
OpenID Connect Discovery
WSO2 Identity Server supports OpenID Connect Discovery to discover an end user's OpenID provider, and also to obtain information required to interact with the OpenID provider, including its OAuth 2.0 endpoint locations. For more information, see IssuerDiscovery.
The OpenID Connect Discovery endpoint is as follows:
https://localhost:9443/.well-known/webfinger
Tip
In WSO2 Identity Server, the default OIDC discovery endpoint url is set to the path oidcdiscovery/.well-known/openid-configuration.
If you want to change the OIDC discovery endpoint path to root <issuer>/.well-known/openid-configuration, you need to apply the WUM update for WSO2 IS 5.5.0, released on the 1st of August 2018, and then follow the step below:
Edit the
<IS_HOME>/repository/conf/identity/identity.xmlfile, and change the value of<OIDCDiscoveryEPUrl>to the issuer url as follows:<OIDCDiscoveryEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</OIDCDiscoveryEPUrl>
The following information is required to make a request.
| Parameter | Description | Sample Value |
|---|---|---|
| Resource | Identifier for the target end user that is the subject of the discovery request. | acct:admin@localhost (for super tenant) acct:admin@wso2.com@localhost (for tenant) |
| HostServer | Where the WebFinger service is hosted. | localhost |
| rel | URI identifying the type of service whose location is being requested. | http://openid.net/specs/connect/1.0/issuer |
By default, all endpoints in the WSO2 Identity Server are secured with basic authentication. You will need authentication details to call the endpoints. By default, you can use admin credentials or an access token for the request.
- For more information on how to obtain an access token, see Allowed grant types for OAuth2-OpenID Connect.
- For more information on securing the REST API or customizing authentication/authorization for the REST API, see Authenticating and Authorizing REST APIs.
Sample requests and responses are given below.
| Request #1 (for super tenant) | Sample Request curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin@localhost&rel=http://openid.net/specs/connect/1.0/issuer' |
|---|---|
| Response #1 (for super tenant) | If you use the default OIDC discovery endpoint path of of WSO2 Identity Server, the response will be as follows: {
"subject": "acct:admin@localhost",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://localhost:9443/oauth2/oidcdiscovery"
}
]
}
If you apply the WUM update and change the OIDC discovery endpoint path to root {
"subject": "acct:admin@localhost",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://localhost:9443/oauth2/token"
}
]
}
|
| Request #1 (for tenant: wso2.com) | Sample Request curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin%40wso2.com@localhost&rel=http://openid.net/specs/connect/1.0/issuer' |
| Response #1 (for tenant: wso2.com) | If you use the default OIDC discovery endpoint path of of WSO2 Identity Server, the response will be as follows: {
"subject": "acct:admin@wso2.com@localhost",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://localhost:9443/t/wso2.com/oauth2/oidcdiscovery"
}
]
}
If you apply the WUM update and change the OIDC discovery endpoint path to root {
"subject": "acct:admin@wso2.com@localhost",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://localhost:9443/t/wso2.com/oauth2/token"
}
]
}
|
| Request #2 | Once you receive the response shown above, append If you use the default OIDC discovery endpoint path of of WSO2 Identity Server, the request will be as follows: Sample Request curl -v -k --user admin:admin https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration If you apply the WUM update and change the OIDC discovery endpoint path to root Sample Request curl -v -k --user admin:admin https://localhost:9443/oauth2/token/.well-known/openid-configuration |
| Response #2 | Sample Response {
"scopes_supported": [
"address",
"phone",
"email",
"profile",
"openid"
],
"check_session_iframe": "https://localhost:9443/oidc/checksession",
"issuer": "https://localhost:9443/oauth2/token",
"authorization_endpoint": "https://localhost:9443/oauth2/authorize",
"claims_supported": [
"formatted",
"name",
"phone_number",
"given_name",
"picture",
"region",
"street_address",
"postal_code",
"zoneinfo",
"locale",
"profile",
"locality",
"sub",
"updated_at",
"email_verified",
"nickname",
"middle_name",
"email",
"family_name",
"website",
"birthdate",
"address",
"preferred_username",
"phone_number_verified",
"country",
"gender",
"iss",
"acr"
],
"token_endpoint": "https://localhost:9443/oauth2/token",
"response_types_supported": [
"id_token token",
"code",
"id_token",
"token"
],
"end_session_endpoint": "https://localhost:9443/oidc/logout",
"userinfo_endpoint": "https://localhost:9443/oauth2/userinfo",
"jwks_uri": "https://localhost:9443/oauth2/jwks",
"subject_types_supported": [
"pairwise"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"registration_endpoint": "https://localhost:9443/identity/connect/register"
}
|