...
Metadata | Endpoint |
---|---|
OAuth2 and OpenID Connect Metadata |
|
JWKS Web Keys |
|
Metadata Request
The main OAuth2 metadata endpoint contains all of the relevant server endpoints, supported profiles and links to public key material used for validation of signed data.
http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
GET /uas/.well-known/openid-configuration
The same metadata is also available at the address /uas/oauth2/metadata.json
. The address /uas/.well-known/openid-
configuration is configuration
is preferred for interoperability.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
GET https://sso.example.com/uas/.well-known/openid-configuration |
Metadata Response
http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
Parameters
...
- tokeninfo_endpoint (deprecated, will be removed in SSO 8) introspection_endpoint provides the same functionality and should be used.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
HTTP/1.1 200 OK Content-Type: application/json { "issuer": "https://sso.example.com/uas", "authorization_endpoint": "https://sso.example.com/uas/oauth2/authorization", "token_endpoint": "https://sso.example.com/uas/oauth2/token", "userinfo_endpoint": "https://sso.example.com/uas/oauth2/userinfo", "jwks_uri": "https://sso.example.com/uas/oauth2/metadata.jwks", "tokeninfo_endpoint": "https://sso.example.com/uas/oauth2/introspection", "introspection_endpoint": "https://sso.example.com/uas/oauth2/introspection", "revocation_endpoint": "https://sso.example.com/uas/oauth2/revocation", "response_types_supported": [ "code" ], "grant_types_supported": [ "authorization_code", "password", "refresh_token", "urn:ietf:params:oauth:grant-type:saml2-bearer", "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp", "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" ], "subject_types_supported": [ "public" ], "request_object_signing_alg_values_supported": [ "RS256", "HS256" ], "request_object_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5", "A128KW", "A256KW" ], "request_object_encryption_enc_values_supported": [ "A128CBC-HS256", "A256CBC-HS512" ], "id_token_signing_alg_values_supported": [ "RS256", "HS256" ], "id_token_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5", "A128KW", "A256KW" ], "id_token_encryption_enc_values_supported": [ "A128CBC-HS256", "A256CBC-HS512" ], "userinfo_signing_alg_values_supported": [ "RS256", "HS256" ], "userinfo_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5", "A128KW", "A256KW" ], "userinfo_encryption_enc_values_supported": [ "A128CBC-HS256", "A256CBC-HS512" ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt" ], "token_endpoint_auth_signing_alg_values_supported": [ "RS256", "HS256" ], "introspection_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt" ], "introspection_endpoint_auth_signing_alg_values_supported": [ "RS256", "HS256" ], "revocation_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt" ], "revocation_endpoint_auth_signing_alg_values_supported": [ "RS256", "HS256" ], "scopes_supported": [ "openid", "userinfo" ] } |
JSON Web Key Set Request
The address of the issuer's JSON Web Key Set is discovered from issuer metadata, by reading "jwks_uri" field.
GET /uas/oauth2/metadata.jwks
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
GET https://sso.example.com/uas/oauth2/metadata.jsonjwks |
JSON Web Key Set Response
https://tools.ietf.org/html/rfc7517
Parameters
...
JSON Array with one or more JSON Web Keys
- kty
The value "RSA"
- use
The value "sig"
- n, e
RSA public key parameters
Optional
- x5c
The issuer key in a X.509 certificate envelope. Available if compatibility flag MetadataCertificate is enabled in SSO Server.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
HTTP/1.1 200 OK Content-Type: application/jwk-set+json \{"keys": \[\{"kty": "RSA","use": "sig","n": "AK-iEcWcXv2VVnv...", "e": "AQAB"\}\]\} |
...