Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2.0

Metadata describes the server capabilities in a machine readable format for automatic configuration of relying parties. It contains all of the relevant server endpoints, supported profiles and public key material used for validation of signed data. This information is publically accessible to anybody by design and contains no secret information.


MetadataEndpoint
OAuth2 and OpenID Connect Metadata

/uas/.well-known/openid-configuration

JWKS Web Keys

/uas/oauth2/metadata.jwks


Metadata Request

The main OAuth2 metadata endpoint contains all of the relevant server endpoints, supported profiles and links to public key material used for validation of signed data.

http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest

GET /uas/.well-known/openid-configuration

The same metadata is mirrored in also available at the address /uas/oauth2/metadata.json.  The address /uas/.well-known/openid-configuration is preferred for interoperability.


Code Block
languagexml
themeRDark
titleSample metadata request
GET https://sso.example.com/uas/.well-known/openid-configuration


Metadata Response

http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Parameters

  • issuer
  • authorization_endpoint
  • token_endpoint
  • userinfo_endpoint
  • jwks_uri
  • introspection_endpoint
  • revocation_endpoint
  • response_types_supported
  • grant_types_supported
  • subject_types_supported
  • id_token_signing_alg_values_supported
  • token_endpoint_auth_methods_supported
  • scopes_supported
    • In addition to the scopes specifically mentioned in the metadata, the entityID of any relying party can also be used as a scope when requesting tokens.


Deprecated parameters

  • tokeninfo_endpoint (deprecated, will be removed in SSO 8) introspection_endpoint provides the same functionality and should be used.

Code Block
languagexml
themeRDark
titleSample metadata response
HTTP/1.1 200 OK 
Content-Type: application/json
\
{
  "issuer": "https://sso.example.com/uas",
  "authorization_endpoint": "https://sso.example.com/uas/oauth2/authorization",
  "token_endpoint": "https://sso.example.com/uas/oauth2/token",
  "userinfo_endpoint": "https://sso.example.com/uas/oauth2/userinfo",
  "jwks_uri": "https://sso.example.com/uas/oauth2/metadata.jwks",
  "tokeninfo_endpoint": "https://sso.example.com/uas/oauth2/introspection",
  "introspection_endpoint": "https://sso.example.com/uas/oauth2/introspection",
  "revocation_endpoint": "https://sso.example.com/uas/oauth2/revocation",
  "response_types_supported":\ [
    "code"\
  ],
  "grant_types_supported":\ [
    "authorization_code",
    "password",
    "refresh_token"\],",
    "urn:ietf:params:oauth:grant-type:saml2-bearer",
    "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp",
    "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp"
  ],
  "subject_types_supported":\ ["public"\],
    "public"
  ],
  "request_object_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "request_object_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5",
    "A128KW",
    "A256KW"
  ],
  "request_object_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "id_token_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5",
    "A128KW",
    "A256KW"
  ],
  "id_token_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512"
  ],
  "userinfo_signing_alg_values_supported":\ [
    "RS256"\],
"token_",
    "HS256"
  ],
  "userinfo_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5",
    "A128KW",
    "A256KW"
  ],
  "userinfo_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "introspection_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "revocation_endpoint_auth_methods_supported":\ [
    "client_secret_post",
    "client_secret_basic"\],",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "revocation_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "scopes_supported":\ [
    "openid",
    "userinfo"\
  ]
\} 


JSON Web Key Set Request

GET /uas/oauth2/metadata.jwks

Code Block
languagexml
themeRDark
titleSample jwks request
GET https://sso.example.com/uas/oauth2/metadata.json


JSON Web Key Set Response

https://tools.ietf.org/html/rfc7517

Parameters

...