Discovery Endpoint

The Discovery (/.well-known/openid-configuration) endpoint is a well-known location where client applications can automatically obtain configuration details about an OpenID Provider.

Instead of manually configuring endpoints and supported features, a client retrieves them from a single JSON document.

Copy

URI

https://idp.contoso.com/dppassivests/.well-known/openid-configuration

The JSON document contains metadata such as:

  • Issuer Identifier — the unique URL that identifies the provider

  • JWKS URI — where public keys are published for validating signatures

  • Authorization Endpoint — where the user is redirected to authenticate

  • Token Endpoint — where the client exchanges authorization codes or refresh tokens for tokens

  • User Info Endpoint — where claims about the user can be retrieved

  • End Session Endpoint — where logout requests are sent

  • Supported Scopes, Claims, Grant Types, Response Types, and Algorithms

Discovery Request

Copy

Sample request

GET /dppassivests/.well-known/openid-configuration HTTP/1.1
Host: idp.contoso.com

Discovery Response

Copy

Sample response

HTTP/1.1 200 OK
Content-Type: application/json

{
  "issuer": "https://idp.contoso.com/dppassivests",
  "jwks_uri": "https://idp.contoso.com/dppassivests/.well-known/jwks",
  "authorization_endpoint": "https://idp.contoso.com/dppassivests/connect/authorize",
  "token_endpoint": "https://idp.contoso.com/dppassivests/connect/token",
  "userinfo_endpoint": "https://idp.contoso.com/dppassivests/connect/userinfo",
  "end_session_endpoint": "https://idp.contoso.com/dppassivests/connect/endsession",
  "check_session_iframe": "https://idp.contoso.com/dppassivests/connect/checksession",
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "phone",
    "address",
    "dp"
  ],
  "claims_supported": [
    "sub",
    "name",
    "family_name",
    "given_name",
    "middle_name",
    "nickname",
    "preferred_username",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "updated_at",
    "email",
    "email_verified",
    "phone_number",
    "phone_number_verified",
    "address",
    "ad_guid",
    "apr",
    "dom",
    "group",
    "sid",
    "upn",
    "wan",
    "uid",
    "crd",
    "role"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "form_post",
    "query",
    "fragment"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ]
}