OpenID Discovery Endpoint

GET /.well-known/openid-configuration

The OpenID Discovery Endpoint provides essential metadata about the OpenID Provider (OP) configuration. This metadata allows Relying Parties (RPs) to dynamically configure their interactions with the OP.

Responses from the OpenID Discovery Endpoint should be cached for at least 1 hour to minimize repeated requests during OIDC/OAuth2 operations.

Response

Response Example

HTTP/2 200
content-type: application/json; charset=utf-8
content-length: 1667  

{
  "authorization_endpoint": "https://stg-id.corppass.gov.sg/mga/sps/oauth/oauth20/authorize",
  "claims_parameter_supported": false,
  "claims_supported": [
    "nonce",
    "aud",
    "iss",
    "sub",
    "exp",
    "iat",
    "userInfo",
    "entityInfo",
    "AuthInfo",
    "TPAuthInfo",
    "rt_hash",
    "at_hash",
    "amr",
    "email",
    "email_verified",
    "sid",
    "auth_time",
    "EntityInfo"
  ],
  "code_challenge_methods_supported": [
    "S256"
  ],
  "grant_types_supported": [
    "authorization_code"
  ],
  "issuer": "https://stg-id.corppass.gov.sg",
  "jwks_uri": "https://stg-id.corppass.gov.sg/.well-known/keys",
  "authorization_response_iss_parameter_supported": false,
  "response_modes_supported": [
    "form_post",
    "fragment",
    "query"
  ],
  "response_types_supported": [
    "code"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint_auth_methods_supported": [
    "private_key_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "ES256",
    "ES256K",
    "ES384",
    "ES512"
  ],
  "token_endpoint": "https://stg-id.corppass.gov.sg/mga/sps/oauth/oauth20/token",
  "id_token_signing_alg_values_supported": [
    "ES256"
  ],
  "id_token_encryption_alg_values_supported": [
    "ECDH-ES+A128KW",
    "ECDH-ES+A192KW",
    "ECDH-ES+A256KW"
  ],
  "id_token_encryption_enc_values_supported": [
    "A256CBC-HS512"
  ],
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "userinfo_endpoint": "https://stg-id.corppass.gov.sg/authorization-info",
  "userinfo_signing_alg_values_supported": [
    "ES256"
  ],
  "userinfo_encryption_alg_values_supported": [
    "A128KW",
    "A256KW",
    "ECDH-ES",
    "RSA-OAEP",
    "RSA-OAEP-256",
    "dir"
  ],
  "userinfo_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A128GCM",
    "A256CBC-HS512",
    "A256GCM"
  ],
  "claim_types_supported": [
    "normal"
  ],
  "name": "corppass",
  "authorization-info_endpoint": "https://stg-id.corppass.gov.sg/authorization-info"
}

Response Fields

Field

Type

Description

issuer

String

The URL identifying the OpenID Provider (OP) as the issuer of tokens. Defined in RFC 7519, Section 4.1.1.

authorization_endpoint

String

The URL of the OP's OAuth 2.0 Authorization Endpoint, where users authenticate and provide consent. Refer to OpenID Connect Core 1.0, Section 3.1.2.

jwks_uri

String

The URL of the OP's JSON Web Key Set (JWKS) endpoint. Clients use this endpoint to retrieve public keys for validating token signatures. Refer to RFC 7517, Section 4.

response_types_supported

Array

JSON array containing a list of OAuth 2.0 response_type values that the OP supports. Defined in OAuth 2.0 Multiple Response Type Encoding Practices.

scopes_supported

Array

JSON array listing the OAuth 2.0 scope values that the OP supports, such as openid, which is mandatory for OpenID Connect flows.

subject_types_supported

Array

JSON array containing a list of Subject Identifier types that the OP supports, such as public or pairwise. Refer to OpenID Connect Core 1.0, Section 8.

claims_supported

Array

JSON array containing a list of Claim Names the OP may supply in tokens or the UserInfo response. Defined in OpenID Connect Core 1.0, Section 5.1.

grant_types_supported

Array

JSON array listing the OAuth 2.0 grant_type values supported by the OP, such as authorization_code or refresh_token. Refer to RFC 6749, Section 4.

token_endpoint

String

The URL of the OP's OAuth 2.0 Token Endpoint. Clients exchange an authorization code for tokens at this endpoint.

token_endpoint_auth_methods_supported

Array

JSON array listing the client authentication methods supported by the Token Endpoint, such as private_key_jwt. Refer to OpenID Connect Core 1.0, Section 9.

token_endpoint_auth_signing_alg_values_supported

Array

JSON array listing the JWS signing algorithms (alg values) supported by the Token Endpoint for JWT authentication. Refer to RFC 7518, Section 3.1.

id_token_signing_alg_values_supported

Array

JSON array listing the JWS signing algorithms (alg values) supported by the OP for signing ID Tokens. Defined in RFC 7518, Section 3.1.

id_token_encryption_alg_values_supported

Array

JSON array listing the JWE encryption algorithms (alg values) supported by the OP for encrypting ID Tokens. Defined in RFC 7516, Section 4.1.1.

id_token_encryption_enc_values_supported

Array

JSON array listing the JWE encryption algorithms (enc values) supported by the OP for encrypting ID Tokens. Defined in RFC 7516, Section 4.1.2.

authorization-info_endpoint

String

The URL of the OP's Authorization Info Endpoint, used to retrieve the user's authorization and third-party authorization details.

claims_parameter_supported

Boolean

Boolean value indicating whether the OP supports the claims parameter to request specific claims. If omitted, the default value is false. Refer to OpenID Connect Core 1.0, Section 5.5.

code_challenge_methods_supported

Array

JSON array listing the Proof Key for Code Exchange (PKCE) code_challenge methods supported by the OP, such as S256. Defined in RFC 7636, Section 4.3.

authorization_response_iss_parameter_supported

Boolean

Boolean indicating whether the OP includes the iss parameter in the authorization response. If omitted, the default value is false.

response_modes_supported

Array

JSON array listing OAuth 2.0 response_mode values supported by the OP, such as query or fragment. Defined in OAuth 2.0 Multiple Response Type Encoding Practices.

request_parameter_supported

Boolean

Boolean indicating whether the OP supports the request parameter for JWT-based requests. Default is false if omitted.

request_uri_parameter_supported

Boolean

Boolean indicating whether the OP supports the request_uri parameter. Default is true if omitted.

claim_types_supported

Array

JSON array listing the Claim Types supported by the OP, such as normal, aggregated, or distributed. Defined in OpenID Connect Core 1.0, Section 5.6.

userinfo_endpoint

String

The URL of the OP's UserInfo Endpoint, used to retrieve claims about the authenticated user. Defined in OpenID Connect Core 1.0, Section 5.3.

userinfo_signing_alg_values_supported

Array

JSON array listing JWS signing algorithms (alg values) supported by the UserInfo Endpoint for encoding claims in a JWT. Defined in RFC 7515, Section 4.

userinfo_encryption_alg_values_supported

Array

JSON array listing JWE encryption algorithms (alg values) supported by the UserInfo Endpoint for encrypting claims in a JWT. Defined in RFC 7516, Section 4.1.1.

userinfo_encryption_enc_values_supported

Array

JSON array listing JWE encryption algorithms (enc values) supported by the UserInfo Endpoint for encrypting claims in a JWT. Defined in RFC 7516, Section 4.1.2.

The userinfo_endpoint in OIDC is analogous to the authorization-info_endpoint in the Corppass Authorization system, which provides similar functionalities, offering detailed information about the authenticated user after a successful login.

PreviousWell-known Endpoints NextJWKS Endpoint

Last updated 5 months ago