Configuring an OpenID Connect Provider to accept discovery requests
The discovery configuration endpoint makes information available about the capabilities that are supported by the OpenID Connect Provider (OP) server.
About this task
The metadata that is returned by this service is based on and extends the OIDC Discovery 1.0 specification provider metadata. The service returns a set of default configurations if nothing is specified. Otherwise, refer to the list of properties to understand their purpose and possible configurable options.
Procedure
You can override the default values for selected properties
in the discovery configuration service. This action is performed by
specifying the values in the server.xml file.
Refer to the following table of properties to view the configurable
properties and possible configuration options.
| Attribute Name | Data Type | Required/Optional | Description |
|---|---|---|---|
| responseTypesSupported | Input | Optional | The response types that are supported by the
OpenID Connect Provider (OP) server. Unless specified, the default
values are code, token, and id_token
token. More than 1 value can be specified. These values are
strings. For example, possible values are:
|
| subjectTypesSupported | Output only | N/A | The subject types that are supported by the OP server. This value is set to public. This value is a string. |
| idTokenSigningAlgValuesSupported | Output only | Optional | The ID token signing algorithms that are supported
by the OP server. This value is specified as the server attribute signatureAlgorithm in
the openidConnectProvider server configuration. Unless
specified, the default value is HS256. Only 1 value
can be specified. This is a string. For example, possible values for
attribute signatureAlgorithm in the openidConnectProvider configuration:
|
| scopesSupported | Input | Optional | The scope values supported by the OP server.
Unless specified, the default values are openid, general, profile, email, address,
and phone. More than 1 value can be specified. These
values are strings. For example, possible values are:
|
| claimsSupported | Input | Optional | The claims values that are supported by the
OP server. Unless specified, the default values are sub, groupIds, name, preferred_username, picture, locale, email,
and profile. More than 1 value can be specified.
These values are strings. For example, possible values are:
|
| responseModesSupported | Input | Optional | The response modes that are supported by the
OP server. Unless specified, the default values are query and fragment.
More than 1 value can be specified. These values are strings.
|
| grantTypesSupported | Input | Optional | The grant types that are supported by the OP
server. Unless specified, the default values are authorization_code, implicit, refresh_token, client_credentials, password,
and urn:ietf:params:oauth:grant-type:jwtbearer. More
than 1 value can be specified. These values are strings. For example,
possible values are:
|
| tokenEndpointAuthMethodsSupported | Input | Optional | The token endpoint authorization methods that
are supported by the OP server. Unless specified, the default values
are client_secret_post, and client_secret_basic.
More than 1 value can be specified. These values are strings. For
example, possible values are:
|
| displayValuesSupported | Output only | N/A | The display values supported by the OP server. This value is set to page. This value is a string. |
| claimTypesSupported | Output only | N/A | The claim type values that are supported by the OP server. This value is set to normal. This value is a string. |
| claimsParameterSupported | Input | Optional | Indication of whether claims parameter is supported
by the OP server. Unless specified, the default value is false.
Only 1 value can be specified. This is a Boolean value. For example,
possible values are:
|
| requestParameterSupported | Input | Optional | Indication of whether a request parameter is
supported by the OP server. Unless specified, the default value is false.
Only 1 value can be specified. This is a Boolean value. For example,
possible values are:
|
| requestUriParameterSupported | Input | Optional | Indication of whether request URI parameter
is supported by the OP server. Unless specified, the default value
is false. Only 1 value can be specified. This is
a Boolean value. For example, possible values are:
|
| requireRequestUriRegistration | Input | Optional | Indication of whether require request URI registration
is supported by the OP server. Unless specified, the default value
is false. Only 1 value can be specified. This is
a Boolean value. For example, possible values are:
|
Examples of discovery configuration
The following example assumes that the Liberty OP is configured with SSL on port
443.
https://server.example.com:443/oidc/endpoint/<provider_name>/The discovery configuration endpoint is accessible at:
https://server.example.com:443/oidc/endpoint/<provider_name>/.well-known/openid-configurationFor example, in the server.xml file, a user can customize their OpenID Connect discovery configuration properties in the following manner:
<openidConnectProvider id="OidcConfigSample" oauthProviderRef="OAuthConfigSample">
<discovery
responseTypesSupported="token, id_token token"
subjectTypesSupported="public"
scopesSupported="openid, general, profile"
claimsSupported="sub, groupIds, name"
responseModesSupported="query"
grantTypesSupported="implicit"
tokenEndpointAuthMethodsSupported="client_secret_basic"
displayValuesSupported="page"
claimTypesSupported="normal"
claimsParameterSupported="true"
requestParameterSupported="true"
requestUriParameterSupported="true"
requireRequestUriRegistration="true"
/>
</openidConnectProvider>
<oauthProvider id="OAuthConfigSample">
</oauthProvider>