/.well-known/webfinger

Allows clients to retrieve the provider URL for an end user by HTTP GET as specified by OpenID Connect Discovery 1.0.

This endpoint does not support specifying a realm in the path, and is always located after the deployment URI. For example, https://openam.example.com:8443/openam/.well-known/webfinger.

Tip

For more information about OpenID Connect discovery, see "OpenID Connect Discovery".

The endpoint supports the following parameters:

host

The server where the relying party can access the WebFinger service.

Notice that this is a host name rather than a URL to the endpoint, which is why you might need to redirect relying parties appropriately as described above.

resource

Identifies the end user that is the subject of the request.

The relying party must percent-encode the resource value when using it in the query string of the request, so when using the acct URI scheme and the resource is acct:user@example.com, then the value to use is acct%3Auser%40example.com.

rel

URI identifying the type of service whose location is requested.

In this case https://openid.net/specs/connect/1.0/issuer, which is http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer.

Test the endpoint for the demo user account with the following command:

$ curl \
"https://openam.example.com:8443/openam/.well-known/webfinger\
?resource=acct%3Ademo%40example.com\
&rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer"
{
  "subject": "acct:demo@example.com",
  "links": [
    {
      "rel": "https://openid.net/specs/connect/1.0/issuer",
      "href": "https://openam.example.com:8443/openam/oauth2"
    }
  ]

}

This example shows that the OpenID Connect provider for the AM demo user is indeed the AM server.

Read a different version of :