Metadata describes the server capabilities in a machine readable format for automatic configuration of relying parties. It contains all of the relevant server endpoints, supported profiles and public key material used for validation of signed data. This information is publically accessible to anybody by design and contains no secret information.
Metadata | Endpoint |
---|---|
OAuth2 and OpenID Connect Metadata |
|
JWKS Web Keys |
|
Metadata Request
The main OAuth2 metadata endpoint contains all of the relevant server endpoints, supported profiles and links to public key material used for validation of signed data.
http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
GET /uas/.well-known/openid-configuration
The same metadata is mirrored in also available at the address /uas/oauth2/metadata.json
. The address /uas/.well-known/openid-configuration
is preferred for interoperability.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
GET https://sso.example.com/uas/.well-known/openid-configuration |
Metadata Response
http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
Parameters
- issuer
- authorization_endpoint
- token_endpoint
- userinfo_endpoint
- jwks_uri
- introspection_endpoint
- revocation_endpoint
- response_types_supported
- grant_types_supported
- subject_types_supported
- id_token_signing_alg_values_supported
- token_endpoint_auth_methods_supported
- scopes_supported
- In addition to the scopes specifically mentioned in the metadata, the entityID of any relying party can also be used as a scope when requesting tokens.
Deprecated parameters
- tokeninfo_endpoint (deprecated, will be removed in SSO 8) introspection_endpoint provides the same functionality and should be used.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
HTTP/1.1 200 OK Content-Type: application/json \ { "issuer": "https://sso.example.com/uas", "authorization_endpoint": "https://sso.example.com/uas/oauth2/authorization", "token_endpoint": "https://sso.example.com/uas/oauth2/token", "userinfo_endpoint": "https://sso.example.com/uas/oauth2/userinfo", "jwks_uri": "https://sso.example.com/uas/oauth2/metadata.jwks", "tokeninfo_endpoint": "https://sso.example.com/uas/oauth2/introspection", "introspection_endpoint": "https://sso.example.com/uas/oauth2/introspection", "revocation_endpoint": "https://sso.example.com/uas/oauth2/revocation", "response_types_supported":\ [ "code"\ ], "grant_types_supported":\ [ "authorization_code", "password", "refresh_token"\], ", "urn:ietf:params:oauth:grant-type:saml2-bearer", "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp", "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" ], "subject_types_supported":\ [ "public"\], "id_token" ], "request_object_signing_alg_values_supported": [ "RS256", "HS256" ], "request_object_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5", "A128KW", "A256KW" ], "request_object_encryption_enc_values_supported": [ "A128CBC-HS256", "A256CBC-HS512" ], "id_token_signing_alg_values_supported": [ "RS256", "HS256" ], "id_token_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5", "A128KW", "A256KW" ], "id_token_encryption_enc_values_supported": [ "A128CBC-HS256", "A256CBC-HS512" ], "userinfo_signing_alg_values_supported":\ [ "RS256"\], "token", "HS256" ], "userinfo_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5", "A128KW", "A256KW" ], "userinfo_encryption_enc_values_supported": [ "A128CBC-HS256", "A256CBC-HS512" ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt" ], "token_endpoint_auth_signing_alg_values_supported": [ "RS256", "HS256" ], "introspection_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt" ], "introspection_endpoint_auth_signing_alg_values_supported": [ "RS256", "HS256" ], "revocation_endpoint_auth_methods_supported":\ [ "client_secret_post", "client_secret_basic"\", "client_secret_jwt", "private_key_jwt" ], "revocation_endpoint_auth_signing_alg_values_supported": [ "RS256", "HS256" ], "scopes_supported":\ [ "openid", "userinfo"\ ] \} |
JSON Web Key Set Request
The address of the issuer's JSON Web Key Set is discovered from issuer metadata, by reading "jwks_uri" field.
GET /uas/oauth2/metadata.jwks
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
GET https://sso.example.com/uas/oauth2/metadata.jsonjwks |
JSON Web Key Set Response
https://tools.ietf.org/html/rfc7517
Parameters
...
JSON Array with one or more JSON Web Keys
- kty
The value "RSA"
- use
The value "sig"
- n, e
RSA public key parameters
Optional
- x5c
The issuer key in a X.509 certificate envelope. Available if compatibility flag MetadataCertificate is enabled in SSO Server.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
HTTP/1.1 200 OK Content-Type: application/jwk-set+json \{"keys": \[\{"kty": "RSA","use": "sig","n": "AK-iEcWcXv2VVnv...", "e": "AQAB"\}\]\} |
...