Security Token Service
RFC 8414 OAuth 2.0 Authorization Server Metadata
RFC 7517 JSON Web Key (JWK)
Authorization server metadata describes the server configuration and is defined in RFC 8414 Section 2. It provides a generalized metadata format extended from OpenID Connect Discovery 1.0 in a way that is compatible with OpenID Connect Discovery while being applicable to a wider set of OAuth 2.0 use cases.
In addition to the defined JSON elements, metadata values MAY also be provided as a "signed_metadata" value, which is an RFC 7519 JSON Web Token (JWT) that asserts metadata values about the authorization server as a bundle.
A set of claims that can be used in signed metadata is defined in RFC 8414 Section 2. The signed metadata will be digitally signed using RFC 7515 JSON Web Signature (JWS) and MUST contain an "iss" (issuer) claim denoting the party attesting to the claims in the signed metadata.
Request and response
The following is a non-normative example request:
GET /.well-known/oauth-authorization-server HTTP/1.1
Host: example.com
The response is a set of claims about the authorization server's configuration, including all necessary endpoints and public key location information. The following is a non-normative example response:
HTTP/1.1 200 OK
Content-Type: application/json
{
"issuer": "https://server.example.com",
"authorization_endpoint": "https://server.example.com/authorize",
"token_endpoint": "https://server.example.com/token",
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"private_key_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"RS256",
"ES256"
],
"userinfo_endpoint": "https://server.example.com/userinfo",
"jwks_uri": "https://server.example.com/jwks.json",
"registration_endpoint": "https://server.example.com/register",
"scopes_supported": [
"openid",
"profile",
"email",
"address", "
phone",
"offline_access"
],
"response_types_supported": [
"code",
"code token"
],
"service_documentation": "http://server.example.com/service_documentation.html",
"ui_locales_supported": [
"en-US",
"en-GB",
"en-CA",
"fr-FR",
"fr-CA"
]
}
Metadata Validation
The "issuer" value returned MUST be identical to the authorization server's issuer identifier value into which the well-known URI string was inserted to create the URL used to retrieve the metadata. If these values are not identical, the data contained in the response MUST NOT be used.
API resources
ITU-T Recommendation X.509 (2005) | ISO/IEC 9594-8:2005
Provides the certificate identifying the STS and its public key. Users of the STS public key may require additional confidence that the associated private key is owned by the STS. This confidence can be obtained through inspection of the public key certificate.
RFC 7517 JSON Web Key (JWK)
Get the signing key(s) the client uses to validate signatures from the authorization server. Clients use the same key to encrypt requests to the server.
RFC 8414 OAuth 2.0 Authorization Server Metadata
Provides a generalized metadata format in a way that is compatible with OpenID Connect Discovery while being applicable to a wider set of OAuth 2.0 use cases.
The response describes a set of claims about the authorization server's configuration and includes all necessary endpoints and public key location information.