Identity Cloud

/oauth2/.well-known/openid-configuration

Lets relying parties retrieve the OpenID Provider configuration using an HTTP GET request, as specified in the OpenID Connect Discovery 1.0 specification.

Relying parties can obtain the configuration by passing in the full path to the realm in the URL. For example, if the OpenID Connect provider is configured in the alpha realm, the URL would resemble the following: https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/.well-known/openid-configuration.

Refer to OpenID Connect Discovery for more information.

After the relying party has discovered who the provider for the end user is, they can discover the provider’s configuration:

$ curl "https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/.well-known/openid-configuration"
{
   "request_parameter_supported":true,
   "claims_parameter_supported":false,
   "pushed_authorization_request_endpoint":"https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/par",
   "introspection_endpoint":"https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/introspect",
   "check_session_iframe":"https://<tenant-env-fqdn>/am/oauth2/connect/checkSession",
   "require_pushed_authorization_requests":false,
   "scopes_supported":[
      "address",
      "phone",
      "openid",
      "profile",
      "email"
   ],
   "userinfo_endpoint":"https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/userinfo",
   "jwks_uri":"https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/connect/jwk_uri",
   "registration_endpoint":"https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/register",
  …​.
}
Copyright © 2010-2023 ForgeRock, all rights reserved.