Server Discovery endpoint

1. Discovering server’s endpoints and capabilities

cidaas supports OAuth2 with OpenID Connect standards, this will give self-discovery URL.

The discovery endpoint can be used to retrieve metadata about IdentityServer - it returns information like the issuer name, key material, supported scopes etc.

The following JSON objects, such as grants, response types, authentication methods and security algorithms are needed by the dynamic clients and application developers to construct requests to the cidaas server.

OpenID providers publish their metadata at a well-known URL which looks like this:

well-known URL: https://[your_cidaas_domain_url]/.well-known/openid-configuration

2. Web API Overview

Resources
  • /.well-known/openid-configuration [GET]
RepresentationsErrors
  • OpenID provider metadata
  • 404 Not Found
  • 500 Internal Server Error

3. Resources

3.1 /.well-known/openid-configuration:

Retrieves the cidaas server’s metadata.

Success:

  • Code: 200
  • Content-Type: application/json
  • Body: {object} The OpenID Provider metadata.

Errors:

  • 404 Not Found
  • 500 Internal Server Error

Example: request to get the cidaas server’s metadata:

GET : /.well-known/openid-configuration
Host: sampleeshop.cidaas.de

The response containing a JSON object with the metadata:

{
    "issuer": "https://[your_cidaas_domain_url]",
    "userinfo_endpoint": "https://[your_cidaas_domain_url]/users-srv/userinfo",
    "authorization_endpoint": "https://[your_cidaas_domain_url]/authz-srv/authz",
    "introspection_endpoint": "https://[your_cidaas_domain_url]/token-srv/introspect",
    "revocation_endpoint": "https://[your_cidaas_domain_url]/token-srv/revoke",
    "token_endpoint": "https://[your_cidaas_domain_url]/token-srv/token",
    "jwks_uri": "https://[your_cidaas_domain_url]/.well-known/jwks.json",
    "check_session_iframe": "https://[your_cidaas_domain_url]/session/check_session",
    "end_session_endpoint": "https://[your_cidaas_domain_url]/session/end_session",
    "subject_types_supported": [
        "public"
    ],
    "scopes_supported": [
        "openid",
        "profile",
        "email",
        "phone",
        "address",
        "offline_access",
        "identities",
        "roles",
        "groups"
    ],
    "response_types_supported": [
        "code",
        "token",
        "id_token",
        "code token",
        "code id_token",
        "token id_token",
        "code token id_token"
    ],
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "grant_types_supported": [
        "implicit",
        "authorization_code",
        "refresh_token",
        "password",
        "client_credentials"
    ],
    "id_token_signing_alg_values_supported": [
        "HS256",
        "RS256"
    ],
    "id_token_encryption_alg_values_supported": [
        "RS256"
    ],
    "id_token_encryption_enc_values_supported": [
        "A128CBC-HS256"
    ],
    "userinfo_signing_alg_values_supported": [
        "HS256",
        "RS256"
    ],
    "userinfo_encryption_alg_values_supported": [
        "RS256"
    ],
    "userinfo_encryption_enc_values_supported": [
        "A128CBC-HS256"
    ],
    "request_object_signing_alg_values_supported": [
        "HS256",
        "RS256"
    ],
    "request_object_encryption_alg_values_supported": [
        "RS256"
    ],
    "request_object_encryption_enc_values_supported": [
        "A128CBC-HS256"
    ],
    "token_endpoint_auth_methods_supported": [
        "client_secret_basic",
        "client_secret_post",
        "client_secret_jwt",
        "private_key_jwt"
    ],
    "token_endpoint_auth_signing_alg_values_supported": [
        "HS256",
        "RS256"
    ],
    "claims_supported": [
        "aud",
        "auth_time",
        "created_at",
        "email",
        "email_verified",
        "exp",
        "family_name",
        "given_name",
        "iat",
        "identities",
        "iss",
        "mobile_number",
        "name",
        "nickname",
        "phone_number",
        "picture",
        "sub"
    ],
    "claims_parameter_supported": false,
    "claim_types_supported": [
        "normal"
    ],
    "service_documentation": "https://docs.sampleeshop.cidaas.de/",
    "claims_locales_supported": [
        "en-US"
    ],
    "ui_locales_supported": [
        "en-US",
        "de-DE"
    ],
    "display_values_supported": [
        "page",
        "popup"
    ],
    "code_challenge_methods_supported": [
        "plain",
        "S256"
    ],
    "request_parameter_supported": true,
    "request_uri_parameter_supported": true,
    "require_request_uri_registration": false,
    "op_policy_uri": "https://www.sampleeshop.com/privacy-policy/",
    "op_tos_uri": "https://www.sampleeshop.com/terms-of-use/"
}

4. Representations

4.1 OpenID Provider Metadata

OpenID provider the following metadata JSON object members

Metadata Description
issuer {string} The server identifier, typically the base URL of the cidaas server, using the https scheme, e.g.https://{your_cidaas_domain_url}
jwks_uri {string} The public server JWK set URL.
registration_endpoint {string} The OAuth 2.0 / OpenID Connect client registration endpoint URL.
authorization_endpoint {string} The OAuth 2.0 authorisation endpoint URL.
token_endpoint {string} The OAuth 2.0 token endpoint URL.
introspection_endpoint {string} The OAuth 2.0 token introspection endpoint URL.
revocation_endpoint {string} The OAuth 2.0 token revocation endpoint URL.
userinfo_endpoint {string} OpenID Connect UserInfo endpoint URL.
[ end_session_endpoint ] {string} The OpenID Connect logout endpoint URL, omitted if disabled.
grant_types_supported {string array} List of the supported OAuth 2.0 grant types.
response_types_supported {string array} List of the supported OAuth 2.0 response_type values.
response_modes_supported {string array} List of the supported OAuth 2.0
code_challenge_methods_supported {string array} List of the supported transformation methods on the authorisation code verifier for Proof Key for Code Exchange (PKCE). response_mode values.
token_endpoint_auth_methods_supported {string array} List of the supported client authentication methods at the OAuth 2.0 token endpoint.
[ token_endpoint_auth_signing_alg_values_supported ] {string array} List of the supported JWS algorithms for JWT-based client authentication at the OAuth 2.0 token endpoint, omitted or empty if none.
id_token_signing_alg_values_supported {string array} List of the supported JWS algorithms for securing the issued ID tokens.
[ id_token_encryption_alg_values_supported ] {string array} List of the supported JWE algorithms for securing the issued ID tokens, omitted or empty if none.
[ id_token_encryption_enc_values_supported ] {string array} List of the supported JWE encryption methods for securing the issued ID tokens, omitted or empty if none.
userinfo_signing_alg_values_supported {string array} List of the supported JWS algorithms for securing the claims returned at the UserInfo endpoint.
[userinfo_encryption_alg_values_supported] {string array} List of the supported JWE encryption algorithms for securing the claims returned at the UserInfo endpoint, omitted or empty if none.
[ userinfo_encryption_enc_values_supported ] {string array} List of the supported JWE encryption methods for securing the claims returned at the UserInfo endpoint, omitted or empty if none.
[ request_object_signing_alg_values_supported ] {string array} List of the supported JWS algorithms for securing OpenID Connect request objects.
[ request_object_encryption_alg_values_supported ] {string array} List of the supported JWE encryption algorithms for securing OpenID Connect request objects, omitted or empty if none.
[ request_object_encryption_enc_values_supported ] {string array} List of the supported JWE encryption methods for securing OpenID Connect request objects, omitted or empty if none.
subject_types_supported {string array} List of the supported subject (end-user) identifier types.
acr_values_supported {string array} List of the supported Authentication Context Class References.
display_values_supported {string array} List of the supported display parameters.
scopes_supported {string array} List of the supported scope values. Certain values may be omitted for privacy reasons.
claim_types_supported {string array} List of the supported OpenID Connect claim types.
claims_supported {string array} List of the supported OpenID Connect claims. Certain values may be omitted for privacy reasons.
[ claims_locales_supported ] {string array} List of the supported OpenID Connect claims locales, omitted or empty if none.
[ ui_locales_supported ] {string array} List of the supported UI locales, omitted or empty if none.
claims_parameter_supported {true | false} Specifies whether the claims request parameter is supported.
request_parameter_supported {true | false} Specifies whether the claims request parameter is supported.
request_uri_parameter_supported {true | false} Specifies whether the request_uri parameter is supported.
require_request_uri_registration {true | false} Specifies whether request URIs must be registered for a client.
[ op_policy_uri ] {string} The privacy policy document URL, omitted if none.
[ op_tos_uri ] {string} The terms of service document URL, omitted if none.
[ service_documentation ] {string} The service documentation URL, omitted if none.

5. Errors

404 Not Found

The requested resource doesn’t exist.

Example:

HTTP/1.1 404 Not Found
500 Internal Server Error

An internal server error has occurred. Check the cidaas server logs for details.

Example:

HTTP/1.1 500 Internal Server Error



results matching ""

    No results matching ""