> For the complete documentation index, see [llms.txt](https://docs.corppass.gov.sg/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-fapi-2.0/integration-guide/0.-well-known-endpoints/openid-discovery-endpoint.md).

# OpenID Discovery Endpoint

The **OpenID Discovery Endpoint** provides essential metadata about OpenID Provider (OP) - in this case, Corppass - configuration. This JSON document allows Relying Parties (RPs) to dynamically configure their interactions, ensuring they always use the correct endpoints, cryptographic algorithms, and supported features.

## Request

```http
GET /.well-known/openid-configuration
```

## Response

The response is a JSON object containing the OpenID Provider (OP) metadata.

{% hint style="info" %}
**Performance Note: Caching**

Responses from the OpenID Discovery Endpoint should be cached for at least 1 hour to minimize repeated requests during OIDC / OAuth2 operations.
{% endhint %}

<table data-full-width="true"><thead><tr><th width="443.17578125">Field</th><th width="101.09375">Type</th><th>Description</th></tr></thead><tbody><tr><td><code>issuer</code></td><td>String</td><td>The URL identifying the OpenID Provider (OP) as the issuer of tokens. Defined in <a href="https://tools.ietf.org/html/rfc7519#section-4.1.1">RFC 7519, Section 4.1.1</a>.</td></tr><tr><td><code>jwks_uri</code></td><td>String</td><td>The URL of the OP's JSON Web Key Set (JWKS) endpoint. Clients use this endpoint to retrieve public keys for validating token signatures. Refer to <a href="https://tools.ietf.org/html/rfc7517#section-4">RFC 7517, Section 4</a>.</td></tr><tr><td><code>scopes_supported</code></td><td>Array</td><td>JSON array listing the OAuth 2.0 <code>scope</code> values that the OP supports, such as <code>openid</code>, which is mandatory for OpenID Connect flows.</td></tr><tr><td><code>claims_supported</code></td><td>Array</td><td>JSON array containing a list of Claim Names the OP may supply in tokens or the UserInfo response. Defined in <a href="https://openid.net/specs/openid-connect-core-1_0.html#Claims">OpenID Connect Core 1.0, Section 5.1</a>.</td></tr><tr><td><code>claim_types_supported</code></td><td>Array</td><td>JSON array listing the Claim Types supported by the OP, such as <code>normal</code>, <code>aggregated</code>, or <code>distributed</code>. Defined in <a href="https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests">OpenID Connect Core 1.0, Section 5.6</a>.</td></tr><tr><td><code>claims_parameter_supported</code></td><td>Boolean</td><td>Boolean value indicating whether the OP supports the <code>claims</code> parameter to request specific claims. If omitted, the default value is <code>false</code>. Refer to <a href="https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests">OpenID Connect Core 1.0, Section 5.5</a>.</td></tr><tr><td><code>subject_types_supported</code></td><td>Array</td><td>JSON array containing a list of Subject Identifier types that the OP supports, such as <code>public</code> or <code>pairwise</code>. Refer to <a href="https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes">OpenID Connect Core 1.0, Section 8</a>.</td></tr><tr><td><code>code_challenge_methods_supported</code></td><td>Array</td><td>JSON array listing the Proof Key for Code Exchange (PKCE) <code>code_challenge</code> methods supported by the OP, such as <code>S256</code>. Defined in <a href="https://tools.ietf.org/html/rfc7636#section-4.3">RFC 7636, Section 4.3</a>.</td></tr><tr><td><code>grant_types_supported</code></td><td>Array</td><td>JSON array listing the OAuth 2.0 <code>grant_type</code> values supported by the OP, such as <code>authorization_code</code> or <code>refresh_token</code>. Refer to RFC 6749, Section 4.</td></tr><tr><td><code>request_parameter_supported</code></td><td>Boolean</td><td>Boolean indicating whether the OP supports the <code>request</code> parameter for JWT-based requests. Default is <code>false</code> if omitted.</td></tr><tr><td><code>request_uri_parameter_supported</code></td><td>Boolean</td><td>Boolean indicating whether the OP supports the <code>request_uri</code> parameter. Default is <code>true</code> if omitted.</td></tr><tr><td><code>response_types_supported</code></td><td>Array</td><td>JSON array containing a list of OAuth 2.0 <code>response_type</code> values that the OP supports. Defined in OAuth 2.0 Multiple Response Type Encoding Practices.</td></tr><tr><td><code>response_modes_supported</code></td><td>Array</td><td>JSON array listing OAuth 2.0 <code>response_mode</code> values supported by the OP, such as <code>query</code> or <code>fragment</code>. Defined in OAuth 2.0 Multiple Response Type Encoding Practices.</td></tr><tr><td><code>authorization_endpoint</code></td><td>String</td><td>The URL of the OP's OAuth 2.0 Authorization Endpoint, where users authenticate and provide consent. Refer to <a href="https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint">OpenID Connect Core 1.0, Section 3.1.2</a>.</td></tr><tr><td><code>authorization_response_iss_parameter_supported</code></td><td>Boolean</td><td>Boolean indicating whether the OP includes the <code>iss</code> parameter in the authorization response. This is set to <code>true</code>. If you are using an OpenID/OAuth2 client, this instructs the library to expect and validate the <code>iss</code> parameter in the authorization responses.</td></tr><tr><td><code>token_endpoint</code></td><td>String</td><td>The URL of the OP's OAuth 2.0 Token Endpoint. Clients exchange an authorization code for tokens at this endpoint.</td></tr><tr><td><code>token_endpoint_auth_methods_supported</code></td><td>Array</td><td>JSON array listing the client authentication methods supported by the Token Endpoint, such as <code>private_key_jwt</code>. Refer to <a href="https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication">OpenID Connect Core 1.0, Section 9</a>.</td></tr><tr><td><code>token_endpoint_auth_signing_alg_values_supported</code></td><td>Array</td><td>JSON array listing the JWS signing algorithms (<code>alg</code> values) supported by the Token Endpoint for JWT authentication. Refer to <a href="https://tools.ietf.org/html/rfc7518#section-3.1">RFC 7518, Section 3.1</a>.</td></tr><tr><td><code>id_token_signing_alg_values_supported</code></td><td>Array</td><td>JSON array listing the JWS signing algorithms (<code>alg</code> values) supported by the OP for signing ID Tokens. Defined in <a href="https://tools.ietf.org/html/rfc7518#section-3.1">RFC 7518, Section 3.1</a>.</td></tr><tr><td><code>id_token_encryption_alg_values_supported</code></td><td>Array</td><td>JSON array listing the JWE encryption algorithms (<code>alg</code> values) supported by the OP for encrypting ID Tokens. Defined in <a href="https://tools.ietf.org/html/rfc7516#section-4.1.1">RFC 7516, Section 4.1.1</a>.</td></tr><tr><td><code>id_token_encryption_enc_values_supported</code></td><td>Array</td><td>JSON array listing the JWE encryption algorithms (<code>enc</code> values) supported by the OP for encrypting ID Tokens. Defined in <a href="https://tools.ietf.org/html/rfc7516#section-4.1.2">RFC 7516, Section 4.1.2</a>.</td></tr><tr><td><code>userinfo_endpoint</code></td><td>String</td><td>The URL of the OP's UserInfo Endpoint, used to retrieve claims about the authenticated user. Defined in <a href="https://openid.net/specs/openid-connect-core-1_0.html#UserInfo">OpenID Connect Core 1.0, Section 5.3</a>.</td></tr><tr><td><code>userinfo_signing_alg_values_supported</code></td><td>Array</td><td>JSON array listing JWS signing algorithms (<code>alg</code> values) supported by the UserInfo Endpoint for encoding claims in a JWT. Defined in <a href="https://tools.ietf.org/html/rfc7515#section-4">RFC 7515, Section 4</a>.</td></tr><tr><td><code>userinfo_encryption_alg_values_supported</code></td><td>Array</td><td>JSON array listing JWE encryption algorithms (<code>alg</code> values) supported by the UserInfo Endpoint for encrypting claims in a JWT. Defined in <a href="https://tools.ietf.org/html/rfc7516#section-4.1.1">RFC 7516, Section 4.1.1</a>.</td></tr><tr><td><code>userinfo_encryption_enc_values_supported</code></td><td>Array</td><td>JSON array listing JWE encryption algorithms (<code>enc</code> values) supported by the UserInfo Endpoint for encrypting claims in a JWT. Defined in <a href="https://tools.ietf.org/html/rfc7516#section-4.1.2">RFC 7516, Section 4.1.2</a>.</td></tr><tr><td><code>userinfo_signing_alg_values_supported</code></td><td>Array</td><td>JSON array listing JWS signing algorithms (<code>alg</code> values) supported by the UserInfo Endpoint for encoding claims in a JWT. Defined in <a href="https://tools.ietf.org/html/rfc7515#section-4">RFC 7515, Section 4</a>.</td></tr></tbody></table>

### Sample Response

```http
HTTP/2 200
content-type: application/json; charset=utf-8
content-length: 1667  

{
  "name": "corppass",
  "issuer": "https://id.corppass.gov.sg",
  "jwks_uri": "https://id.corppass.gov.sg/.well-known/keys",
  "scopes_supported": [...],
  "claims_supported": [...],
  "claim_types_supported": [...],
  "claims_parameter_supported": false,
  "subject_types_supported": [...],
  "code_challenge_methods_supported": [...],
  "grant_types_supported": [...],
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "response_types_supported": [...],
  "response_modes_supported": [...],
  "pushed_authorization_request_endpoint": "https://id.corppass.gov.sg/request",
  "authorization_endpoint": "https://id.corppass.gov.sg/mga/sps/oauth/oauth20/authorize",
  "authorization_response_iss_parameter_supported": true,
  "token_endpoint": "https://id.corppass.gov.sg/mga/sps/oauth/oauth20/token",
  "token_endpoint_auth_methods_supported": [...],
  "token_endpoint_auth_signing_alg_values_supported": [...],
  "id_token_signing_alg_values_supported": [...],
  "id_token_encryption_alg_values_supported": [...],
  "id_token_encryption_enc_values_supported": [...],
  "userinfo_endpoint": "https://id.corppass.gov.sg/userinfo",
  "userinfo_signing_alg_values_supported": [...],
  "userinfo_encryption_alg_values_supported": [...],
  "userinfo_encryption_enc_values_supported": [...]
}
```
