OpenID Connect Discovery

It is possible to configure for OpenID discovery.  This is not enabled by default.

More detail about OPDC discovery can be found at: https://openid.net/specs/openid-connect-discovery-1_0.html


Creating OpenID Providers

In order to enable discovery an OP needs to be configured. This is dun under the Advanced menu.

Under the category "OIDC_OP" add configuration. 

Example configuration

Note that tenant and id are required parameters. They must both be unique within the OIDC_OP "bucket".

Supported characters are a-z,0-9.

<p>{
	"tenant": "myop",
	"id": "myop",
	"config": {
		"issuer": "https://integration.phenixid.se/oidc",
		"authorization_endpoint": "https://integration.phenixid.se/oidc_auth/authenticate/oidc_authz_start",
		"token_endpoint": "https://integration.phenixid.se/api/authentication/collectJWT",
		"response_types_supported": [
			"code"
		],
		"grant_types_supported": [
			"authorization_code"
		],
		"subject_types_supported": [
			"public"
		],
		"id_token_signing_alg_values_supported": [
			"RS256"
		],
		"scopes_supported": [
			"openid"
		],
		"token_endpoint_auth_methods_supported": [
			"none"
		],
		"claims_supported": [
			"iss",
			"ver",
			"sub"
		],
		"end_session_endpoint": "https://integration.phenixid.se/oidc/authenticate/logout/",
		"request_parameter_supported": "true",
		"signStore": "b8835784-cb82-4fe1-87e0-b367236d855b"
	}
}</p>

Within the "config" portion of the block above all the OP discovery data must reside. Note that only strings are valid as values. For properties of other data type the system will transform automatically en providing the output.

Apart from the parameters described https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata additional property "signStore" is required. This must point to a keystore uploaded at an earlier stage. This keystore should also be the one used when signing the JWT token.

Accessing the data

After adding an OP the server will expose four new URI:

  • /.well-known/openid-configuration
  • /.*/.well-known/openid-configuration
  • /.well-known/openid-configuration/jwks
  • /.*/.well-known/openid-configuration/jwks

If only ONE OP was added accessing OP discovery data is done at URI:

  • /.well-known/openid-configuration

If no value is defined in property jwks_uri  the system adds this. The construction of the value is 

  • /.well-known/openid-configuration/jwks

For multi OP support access /.*/.well-known/openid-configuration where .* is the name entered in the OP (myop in the example above) .