Reputation: 4506
How to dynamically discover endpoint
I want to implement openid connect in my project. Right now I am hard coding the discovery url like for google - https://accounts.google.com/.well-known/openid-configuration , same for other source and then make this call and getting the endpoints for all the respective sources. but I want to make it full dynamic. I found something on openid.net
GET /.well-known/webfinger
?resource=acct%3Ajoe%40example.com
&rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer
HTTP/1.1
Host: example.com
HTTP/1.1 200 OK
Content-Type: application/jrd+json
{
"subject": "acct:[email protected]",
"links":
[
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://server.example.com"
}
]
}
How can I do this call. What should I placed in resouces, rel ?? I am beginner in oauth process. Could you plz help me out.
Upvotes: 0
Views: 379
Answers (2)
Reputation: 53928
Strictly speaking Dynamic Registration is not necessarily coupled one-on-one with Discovery although typically it would be.
As the OP suggests, one can lookup the Provider's metadata through applying Webfinger Discovery as described in: http://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
The request and response would look as already presented in the question i.e. : http://openid.net/specs/openid-connect-discovery-1_0.html#URLSyntax The RP can parse the "hreft" value from the response that would present the "issuer" value (i.e. a unique DNS bound identifier for the Provider) and then construct the well-known endpoint where the Provider's configuration metadata can be retrieved from as described here: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
Assuming that the RP already has a client_id/client_secret established with that Provider in a previous out-of-bound step, this may avoid the RP having to store and/or cache the Provider's metadata.
Upvotes: 0
Reputation: 21
very few of the major IdPs support dynamic registration. They all seem to want you to register on a web page where you can agree to their terms of use.
mojeid.cz is one I know that does. If you find others I would like to know.
I am coding up dynamic client now. It's tough. I do plan on posting it on GitHub at some point. ..tom
Upvotes: 1
Related Questions
- Authorize different API endpoints via oauth2
- OAuth / OIDC - How to inform a resource server about a user's identity
- OIDC - Identifying the Resource Server
- OpenID Connect or OAuth2 - how to get the auth and token endpoints from the issuer metadata endpoint
- OpenId Connect: adding extra/custom parameter at the token endpoint call
- How to identify the "client application" at the "resource server" in a OIDC/OAuth2 flow
- OpenID endpoints
- How does a server discover an OpenId Provider's authentication's endpoint?
- how to get url endpoint openid provider