/.well-known/webfinger

The /.well-known/webfinger endpoint is described in OpenID Connect Discovery 1.0 incorporating errata set 1.

Use it to discover the OpenID provider for an end user.

Do not specify the realm in the request URL; for example:

https://<tenant-env-fqdn>/am/.well-known/webfinger

This endpoint is disabled by default. For details, refer to OIDC discovery.

Supported parameters

The discovery endpoint supports the following parameters:

Parameter Description Required

Parameter	Description	Required
`realm`	The PingOne Advanced Identity Cloud realm to query for the user profile.	No
`rel`	The URI identifying the type of service.	Yes; use `http://openid.net/specs/connect/1.0/issuer`
`resource`	The URL-encoded subject of the request.; one of: `acct:user-email` `acct:user-email@host` `http(s)://host/username` `http(s)://host:port` The `host` relates to the discovery URL. For example, if the endpoint is `http://server.example.com/am/.well-known/webfinger`, the host is `server.example.com`. The `resource` parameter does not support wildcard characters (`*`).	Yes

realm

The PingOne Advanced Identity Cloud realm to query for the user profile.

rel

The URI identifying the type of service.

Yes; use http://openid.net/specs/connect/1.0/issuer

resource

The URL-encoded subject of the request.; one of:

acct:user-email
acct:user-email@host
http(s)://host/username
http(s)://host:port

The host relates to the discovery URL. For example, if the endpoint is http://server.example.com/am/.well-known/webfinger, the host is server.example.com.

The resource parameter does not support wildcard characters (*).

Yes

Example

$ curl \
'https://<tenant-env-fqdn>/am/.well-known/webfinger?resource=acct%3Abjensen%40example.com&rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer'
{
  "subject": "acct:bjensen@example.com",
  "links": [{
    "rel": "http://openid.net/specs/connect/1.0/issuer",
    "href": "https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha"
  }]
}