Lets clients determine the provider URL for an end user, as described in the OpenID Connect Discovery 1.0 incorporating errata set 1 specification.

The endpoint is disabled by default; to enable it, see "OpenID Connect Discovery".

The discovery endpoint supports the following parameters:


Specifies the AM realm that must be queried for user information. Unlike other AM endpoints, the discovery endpoint does not support specifying the realm in the path, because it is always located after the deployment URI. For example, https://openam.example.com:8443/openam/.well-known/webfinger.

Required: No.


Identifies the URL-encoded subject of the request. This parameter can take the following formats, as defined in the specification:

  • acct:user_email. For example, acct%3Ademo%40example.com.

  • acct:user_email@host. For example, acct%3Ademo%2540example.com%40server.example.com

  • http_or_https://host/username. For example, http%3A%2F%2Fserver.example.com%2Fdemo.

  • http_or_https://host:port. For example, http%3A%2F%2Fserver.example.com%3A8080.

The value of host is related to the discovery URL exposed to the clients. In the examples, the exposed discovery endpoint would be something similar to http://server.example.com/.well-known/webfinger. For more information about exposing the endpoint through a proxy or load balancer, see "OpenID Connect Discovery".

Wildcard (*) characters are not supported.

Required: Yes.


Specifies the URL-encoded URI identifying the type of service whose location is requested. The only valid value is http://openid.net/specs/connect/1.0/issuer.

Required: Yes.

The following command requests information for the demo user in the example.com domain to the OAuth 2.0 provider service in the Engineering realm:

$ curl \
--request GET \
  "subject": "acct:demo@example.com",
  "links": [
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "https://openam.example.com:8443/openam/oauth2"

Read a different version of :