Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2

...

MetadataEndpoint
OAuth2 and OpenID Connect Metadata

/uas/.well-known/openid-configuration

JWKS Web Keys

/uas/oauth2/metadata.jwks

Metadata Request

The main OAuth2 metadata endpoint contains all of the relevant server endpoints, supported profiles and links to public key material used for validation of signed data.

http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest

GET /uas/.well-known/openid-configuration

The same metadata is also available at the address /uas/oauth2/metadata.json.  The address /uas/.well-known/openid-configuration is preferred for interoperability.

Code Block
languagexml
titleSample metadata request
GET https://sso.example.com/uas/.well-known/openid-configuration

Metadata Response

http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Parameters

...

Code Block
languagexml
titleSample metadata response (SSO 8.2)
HTTP/1.1 200 OK 
Content-Type: application/json

{
  "issuer": "https://sso.example.com/uas",
  "authorization_endpoint": "https://sso.example.com/uas/oauth2/authorization",
  "token_endpoint": "https://sso.example.com/uas/oauth2/token",
  "userinfo_endpoint": "https://sso.example.com/uas/oauth2/userinfo",
  "jwks_uri": "https://sso.example.com/uas/oauth2/metadata.jwks",
  "tokeninfo_endpoint": "https://sso.example.com/uas/oauth2/introspection",
  "introspection_endpoint": "https://sso.example.com/uas/oauth2/introspection",
  "revocation_endpoint": "https://sso.example.com/uas/oauth2/revocation",
  "response_types_supported": [
    "code"
  ],
  "grant_types_supported": [
    "authorization_code",
    "password",
    "refresh_token",
    "urn:ietf:params:oauth:grant-type:saml2-bearer",
    "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp",
    "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp"
  ],
  "subject_types_supported": [
    "public"
  ],
  "request_object_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "request_object_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5",
    "A128KW",
    "A256KW"
  ],
  "request_object_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "id_token_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5",
    "A128KW",
    "A256KW"
  ],
  "id_token_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512"
  ],
  "userinfo_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "userinfo_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5",
    "A128KW",
    "A256KW"
  ],
  "userinfo_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "introspection_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "revocation_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "revocation_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "scopes_supported": [
    "openid",
    "userinfo"
  ]
}

JSON Web Key Set Request

The address of the issuer's JSON Web Key Set is discovered from issuer metadata, by reading "jwks_uri" field. 

GET /uas/oauth2/metadata.jwks

Code Block
languagexml
titleSample jwks request
GET https://sso.example.com/uas/oauth2/metadata.jsonjwks

JSON Web Key Set Response

https://tools.ietf.org/html/rfc7517

Parameters

...

JSON Array with one or more JSON Web Keys

  • kty

The value "RSA"

  • use

The value "sig"

  • n, e

RSA public key parameters

Optional

  • x5c

The issuer key in a X.509 certificate envelope. Available if compatibility flag MetadataCertificate is enabled in SSO Server.

...