OIDC · Schema
OpenID Connect Discovery Document
Schema describing the OpenID Provider Configuration Information document as defined in OpenID Connect Discovery 1.0. This document advertises the provider's capabilities, supported endpoints, signing algorithms, and other metadata that clients need to interact with the provider.
AuthenticationIdentityJWTOAuthOIDCOpenID Connect
Properties
| Name | Type | Description |
|---|---|---|
| issuer | string | The issuer identifier for the OpenID Provider. This value is used as the 'iss' claim in ID tokens and must be identical to the URL used to retrieve the discovery document. |
| authorization_endpoint | string | URL of the authorization endpoint where authentication requests are sent. |
| token_endpoint | string | URL of the token endpoint used to exchange authorization codes for tokens. |
| userinfo_endpoint | string | URL of the UserInfo endpoint for retrieving claims about the authenticated user. |
| jwks_uri | string | URL of the JSON Web Key Set document containing the provider's public signing keys. |
| registration_endpoint | string | URL of the Dynamic Client Registration endpoint. |
| scopes_supported | array | List of OAuth 2.0 scope values supported by the provider. |
| response_types_supported | array | List of OAuth 2.0 response_type values supported. |
| response_modes_supported | array | List of OAuth 2.0 response_mode values supported. |
| grant_types_supported | array | List of OAuth 2.0 grant type values supported. |
| acr_values_supported | array | List of Authentication Context Class Reference values supported. |
| subject_types_supported | array | List of Subject Identifier types supported (public or pairwise). |
| id_token_signing_alg_values_supported | array | List of JWS signing algorithms supported for ID tokens. |
| id_token_encryption_alg_values_supported | array | List of JWE encryption algorithms (alg values) supported for ID tokens. |
| id_token_encryption_enc_values_supported | array | List of JWE encryption algorithms (enc values) supported for ID tokens. |
| userinfo_signing_alg_values_supported | array | List of JWS signing algorithms supported for UserInfo responses. |
| userinfo_encryption_alg_values_supported | array | List of JWE encryption algorithms supported for UserInfo responses. |
| request_object_signing_alg_values_supported | array | List of JWS signing algorithms supported for Request Objects. |
| token_endpoint_auth_methods_supported | array | List of client authentication methods supported by the token endpoint. |
| token_endpoint_auth_signing_alg_values_supported | array | List of JWS signing algorithms supported for token endpoint authentication. |
| display_values_supported | array | List of display parameter values supported. |
| claim_types_supported | array | List of Claim Types supported (normal, aggregated, distributed). |
| claims_supported | array | List of Claim Names that the provider may supply values for. |
| claims_parameter_supported | boolean | Whether the provider supports the 'claims' request parameter. |
| request_parameter_supported | boolean | Whether the provider supports the 'request' parameter for passing Request Objects. |
| request_uri_parameter_supported | boolean | Whether the provider supports the 'request_uri' parameter for passing Request Object by reference. |
| require_request_uri_registration | boolean | Whether the provider requires request_uri values to be pre-registered. |
| code_challenge_methods_supported | array | List of PKCE code challenge methods supported. |
| end_session_endpoint | string | URL of the end session endpoint for RP-Initiated Logout. |
| introspection_endpoint | string | URL of the token introspection endpoint. |
| revocation_endpoint | string | URL of the token revocation endpoint. |
| service_documentation | string | URL of a page with human-readable information about the provider. |
| op_policy_uri | string | URL of the provider's policy document describing how client data is used. |
| op_tos_uri | string | URL of the provider's terms of service document. |
JSON Schema
{
"$id": "oidc-discovery.json",
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "OpenID Connect Discovery Document",
"description": "Schema describing the OpenID Provider Configuration Information document as defined in OpenID Connect Discovery 1.0. This document advertises the provider's capabilities, supported endpoints, signing algorithms, and other metadata that clients need to interact with the provider.",
"type": "object",
"required": [
"issuer",
"authorization_endpoint",
"jwks_uri",
"response_types_supported",
"subject_types_supported",
"id_token_signing_alg_values_supported"
],
"properties": {
"issuer": {
"type": "string",
"format": "uri",
"description": "The issuer identifier for the OpenID Provider. This value is used as the 'iss' claim in ID tokens and must be identical to the URL used to retrieve the discovery document."
},
"authorization_endpoint": {
"type": "string",
"format": "uri",
"description": "URL of the authorization endpoint where authentication requests are sent."
},
"token_endpoint": {
"type": "string",
"format": "uri",
"description": "URL of the token endpoint used to exchange authorization codes for tokens."
},
"userinfo_endpoint": {
"type": "string",
"format": "uri",
"description": "URL of the UserInfo endpoint for retrieving claims about the authenticated user."
},
"jwks_uri": {
"type": "string",
"format": "uri",
"description": "URL of the JSON Web Key Set document containing the provider's public signing keys."
},
"registration_endpoint": {
"type": "string",
"format": "uri",
"description": "URL of the Dynamic Client Registration endpoint."
},
"scopes_supported": {
"type": "array",
"description": "List of OAuth 2.0 scope values supported by the provider.",
"items": {
"type": "string"
},
"examples": [
["openid", "profile", "email", "address", "phone", "offline_access"]
]
},
"response_types_supported": {
"type": "array",
"description": "List of OAuth 2.0 response_type values supported.",
"items": {
"type": "string"
},
"examples": [
["code", "id_token", "id_token token", "code id_token"]
]
},
"response_modes_supported": {
"type": "array",
"description": "List of OAuth 2.0 response_mode values supported.",
"items": {
"type": "string"
},
"examples": [
["query", "fragment", "form_post"]
]
},
"grant_types_supported": {
"type": "array",
"description": "List of OAuth 2.0 grant type values supported.",
"items": {
"type": "string"
},
"examples": [
["authorization_code", "implicit", "refresh_token", "client_credentials"]
]
},
"acr_values_supported": {
"type": "array",
"description": "List of Authentication Context Class Reference values supported.",
"items": {
"type": "string"
}
},
"subject_types_supported": {
"type": "array",
"description": "List of Subject Identifier types supported (public or pairwise).",
"items": {
"type": "string",
"enum": ["public", "pairwise"]
}
},
"id_token_signing_alg_values_supported": {
"type": "array",
"description": "List of JWS signing algorithms supported for ID tokens.",
"items": {
"type": "string"
},
"examples": [
["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256"]
]
},
"id_token_encryption_alg_values_supported": {
"type": "array",
"description": "List of JWE encryption algorithms (alg values) supported for ID tokens.",
"items": {
"type": "string"
}
},
"id_token_encryption_enc_values_supported": {
"type": "array",
"description": "List of JWE encryption algorithms (enc values) supported for ID tokens.",
"items": {
"type": "string"
}
},
"userinfo_signing_alg_values_supported": {
"type": "array",
"description": "List of JWS signing algorithms supported for UserInfo responses.",
"items": {
"type": "string"
}
},
"userinfo_encryption_alg_values_supported": {
"type": "array",
"description": "List of JWE encryption algorithms supported for UserInfo responses.",
"items": {
"type": "string"
}
},
"request_object_signing_alg_values_supported": {
"type": "array",
"description": "List of JWS signing algorithms supported for Request Objects.",
"items": {
"type": "string"
}
},
"token_endpoint_auth_methods_supported": {
"type": "array",
"description": "List of client authentication methods supported by the token endpoint.",
"items": {
"type": "string"
},
"examples": [
["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"]
]
},
"token_endpoint_auth_signing_alg_values_supported": {
"type": "array",
"description": "List of JWS signing algorithms supported for token endpoint authentication.",
"items": {
"type": "string"
}
},
"display_values_supported": {
"type": "array",
"description": "List of display parameter values supported.",
"items": {
"type": "string",
"enum": ["page", "popup", "touch", "wap"]
}
},
"claim_types_supported": {
"type": "array",
"description": "List of Claim Types supported (normal, aggregated, distributed).",
"items": {
"type": "string",
"enum": ["normal", "aggregated", "distributed"]
}
},
"claims_supported": {
"type": "array",
"description": "List of Claim Names that the provider may supply values for.",
"items": {
"type": "string"
},
"examples": [
["sub", "name", "given_name", "family_name", "email", "email_verified", "picture", "locale"]
]
},
"claims_parameter_supported": {
"type": "boolean",
"description": "Whether the provider supports the 'claims' request parameter.",
"default": false
},
"request_parameter_supported": {
"type": "boolean",
"description": "Whether the provider supports the 'request' parameter for passing Request Objects.",
"default": false
},
"request_uri_parameter_supported": {
"type": "boolean",
"description": "Whether the provider supports the 'request_uri' parameter for passing Request Object by reference.",
"default": true
},
"require_request_uri_registration": {
"type": "boolean",
"description": "Whether the provider requires request_uri values to be pre-registered.",
"default": false
},
"code_challenge_methods_supported": {
"type": "array",
"description": "List of PKCE code challenge methods supported.",
"items": {
"type": "string",
"enum": ["plain", "S256"]
}
},
"end_session_endpoint": {
"type": "string",
"format": "uri",
"description": "URL of the end session endpoint for RP-Initiated Logout."
},
"introspection_endpoint": {
"type": "string",
"format": "uri",
"description": "URL of the token introspection endpoint."
},
"revocation_endpoint": {
"type": "string",
"format": "uri",
"description": "URL of the token revocation endpoint."
},
"service_documentation": {
"type": "string",
"format": "uri",
"description": "URL of a page with human-readable information about the provider."
},
"op_policy_uri": {
"type": "string",
"format": "uri",
"description": "URL of the provider's policy document describing how client data is used."
},
"op_tos_uri": {
"type": "string",
"format": "uri",
"description": "URL of the provider's terms of service document."
}
},
"additionalProperties": true
}