openid-configuration
The core OpenID Connect specification assumes that "the Relying Party has already obtained configuration information about the OpenID Provider, including its Authorization Endpoint and Token Endpoint locations".
This list of configuration parameters can be distributed to the Relying Party (RP) / Client application in various ways, but an extension to the specification has been made to ease the distribution of such configuration data.
The OpenID Connect Discovery 1.0 incorporating errata set 1 defines "a mechanism for an OpenID Connect Relying Party to discover the End-User's OpenID Provider and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations".
OpenID Provider Issuer URL
Buypass will always provide the issuer URL to the customer "out-of-band", skipping the need for Issuer Discovery.
The Buypass Issuer URL will be dependent on the Security Domain and typically have the format:
https://auth.buypass.no/auth/realms/SECURITYDOMAIN/
OpenID Provider Configuration
Given the issuer URL, the specification describes how to get all relevant OpenID Provider metadata (including endpoints): Obtaining OpenID Provider Configuration Information.
A HTTP GET request to the following URL:
https://auth.buypass.no/auth/realms/SECURITYDOMAIN/.well-known/openid-configuration
Will result in a JSON document similar to this example:
{ issuer: "https://auth.buypass.no/auth/realms/SECURITYDOMAIN", authorization_endpoint: "https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect/auth", token_endpoint: "https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect/token", token_introspection_endpoint: "https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect/token/introspect", userinfo_endpoint: "https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect/userinfo", end_session_endpoint: "https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect/logout", jwks_uri: "https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect/certs", check_session_iframe: "https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect/login-status-iframe.html", grant_types_supported: [ "authorization_code", "implicit", "refresh_token", "password", "client_credentials" ], response_types_supported: [ "code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token" ], subject_types_supported: [ "public", "pairwise" ], id_token_signing_alg_values_supported: [ "RS256" ], userinfo_signing_alg_values_supported: [ "RS256" ], request_object_signing_alg_values_supported: [ "none", "RS256" ], response_modes_supported: [ "query", "fragment", "form_post" ], registration_endpoint: "https://auth.buypass.no/auth/realms/SECURITYDOMAIN/clients-registrations/openid-connect", token_endpoint_auth_methods_supported: [ "private_key_jwt", "client_secret_basic", "client_secret_post" ], token_endpoint_auth_signing_alg_values_supported: [ "RS256" ], claims_supported: [ "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email" ], claim_types_supported: [ "normal" ], claims_parameter_supported: false, scopes_supported: [ "openid", "offline_access" ], request_parameter_supported: true, request_uri_parameter_supported: true }
Note that the OIDC configuration provided for a particular Security Domain may deviate from this example (there may be configuration options added and/or removed).