/.well-known/webfinger
Allows clients to retrieve the provider URL for an end user by HTTP GET as specified by OpenID Connect Discovery 1.0.
This endpoint does not support specifying a realm in the path, and is always located after the deployment URI. For example, https://openam.example.com:8443/openam/.well-known/webfinger
.
Tip
For more information about OpenID Connect discovery, see "OpenID Connect Discovery".
The endpoint supports the following parameters:
host
The server where the relying party can access the WebFinger service.
Notice that this is a host name rather than a URL to the endpoint, which is why you might need to redirect relying parties appropriately as described above.
resource
Identifies the end user that is the subject of the request.
The relying party must percent-encode the resource value when using it in the query string of the request, so when using the
acct
URI scheme and the resource isacct:user@example.com
, then the value to use isacct%3Auser%40example.com
.rel
URI identifying the type of service whose location is requested.
In this case
https://openid.net/specs/connect/1.0/issuer
, which ishttp%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer
.
Test the endpoint for the demo user account with the following command:
$curl \ "https://openam.example.com:8443/openam/.well-known/webfinger\ ?resource=acct%3Ademo%40example.com\ &rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer"
{ "subject": "acct:demo@example.com", "links": [ { "rel": "https://openid.net/specs/connect/1.0/issuer", "href": "https://openam.example.com:8443/openam/oauth2" } ] }
This example shows that the OpenID Connect provider for the AM demo user is indeed the AM server.