Configure Applications with OIDC Discovery

OpenID Connect (OIDC) Discovery documents contain metadata about the identity provider (IdP). Configuring your application with the OIDC Discovery endpoint simplifies integration by providing details about the supported endpoints, claims, and features of Login 3.0.

The OIDC discovery document for your Login 3.0 tenant can be found at:

https://{yourDomain}/.well-known/openid-configuration

Benefits of OIDC Discovery

Integrating OIDC Discovery into your application provides:

  • Exposed IdP Endpoints:

    Access to endpoints such as the authorization, token, and user info endpoints.

  • Standardized OIDC Claims and Scopes:

    Metadata about supported claims (e.g., aud, email, sub) and scopes (e.g., openid, profile).

  • Supported Features:

    Details about response types, token signing algorithms, and other OIDC features.

Sample OIDC Discovery Response

Below is an example of a response from the OIDC Discovery endpoint:

{
  "issuer": "https://{yourDomain}/",
  "authorization_endpoint": "https://{yourDomain}/authorize",
  "token_endpoint": "https://{yourDomain}/oauth/token",
  "device_authorization_endpoint": "https://{yourDomain}/oauth/device/code",
  "userinfo_endpoint": "https://{yourDomain}/userinfo",
  "jwks_uri": "https://{yourDomain}/.well-known/jwks.json",
  "registration_endpoint": "https://{yourDomain}/oidc/register",
  "revocation_endpoint": "https://{yourDomain}/oauth/revoke",
  "scopes_supported": ["openid", "profile", "email"],
  "response_types_supported": ["code", "token", "id_token"],
  "code_challenge_methods_supported": ["S256", "plain"],
  "response_modes_supported": ["query", "fragment", "form_post"],
  "subject_types_supported": ["public"],
  "id_token_signing_alg_values_supported": ["HS256", "RS256", "PS256"],
  "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post", "private_key_jwt"],
  "claims_supported": ["aud", "email", "exp", "iat", "iss", "sub"],
  "request_uri_parameter_supported": false,
  "request_parameter_supported": false}

Configuring RSA Algorithm for JWTs

Login 3.0 uses JSON Web Tokens (JWTs) signed with asymmetric keys (RSA). Ensure your application is configured to handle RSA-signed tokens for secure verification.

  1. Contact the UPBOND Team:

    Request RSA key configuration for your application. Specify that the RS256 algorithm should be used for JWT signature.

  2. Update Your Application:

    Use the public key provided by Login 3.0 to verify tokens signed with the private key.

  3. Testing:

    Validate the token issuance and verification process to ensure secure authentication flows.

PreviousRotate Client SecretsNextRemove Applications

Last updated

Was this helpful?