Table of Contents

Construct .well-known OIDC discovery JSON

Warning

Please note, this document is using the legacy authenticators - in order to use the new protocol agnostic authenticators, you need to apply relevant modifications to the configuration examples outlined in this article.

Note

Please note, when setting up a modern OIDC environment in PAS, you would not need to do this manually.

Summary

This document describes how to create OIDC .well-known discovery json string for your OpenID Connect Provider.

System Requirements

  • PhenixID Authentication Services https domain
  • OpenID Connect Provider tenant value
  • OpenID Connect Provider token endpoint uri, userinfo endpoint uri [OPTIONAL] and jwks url

Instruction

  1. Copy this json:

    {
  "issuer": "https://<pas_server_domain>/<tenant>/oidc",
  "authorization_endpoint": "https://<pas_server_domain>/oidc_auth/authenticate/<authenticator_alias>",
  "token_endpoint": "https://<pas_server_domain>/api/authentication/collectJWT",
  "jwks_uri": "https://<pas_server_domain>/oidc/<tenant>/keys",
  "userinfo_endpoint": "https://<pas_server_domain>/api/authentication/userinfo?tenant",
  "response_types_supported": [
    "code"
  ],
  "grant_types_supported": [
    "authorization_code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid"
  ],
  "token_endpoint_auth_methods_supported": [
    "none"
  ],
  "claims_supported": [
    "iss",
    "ver",
    "sub",
    "aud",
    "iat",
    "exp",
    "jti",
    "auth_time",
    "amr",
    "idp",
    "nonce",
    "name",
    "nickname",
    "preferred_username",
    "given_name",
    "givenname",
    "middle_name",
    "family_name",
    "sn",
    "email",
    "emailaddress",
    "email_verified",
    "profile",
    "zoneinfo",
    "locale",
    "address",
    "phone_number",
    "picture",
    "website",
    "gender",
    "birthdate"
  ],
  "end_session_endpoint": "https://<pas_server_domain>/oidc_auth/authenticate/logout/"
}

  2. Replace <pas_server_domain> with your PhenixID Authentication Services domain name

  3. Replace <tenant> with your tenant value

  4. Replace <authenticator_alias> with your PhenixID Authentication Services OIDC authenticator alias value.

  5. Verify uri:s to token and userinfo endpoints. Change if needed (if you configured different names of the pipes used).

  6. Once done, verify the json structure using an online tool, such as jsonlint.

OIDC (OpenID Connect)