Discover OpenID Connect endpoints of WSO2 Identity Server¶
When you build OpenID Connect login in your application using WSO2 Identity Server as your identity provider, you need to get the OpenID Connect endpoints and configurations from WSO2 Identity Server.
You can do this by invoking the discovery endpoint API or by using the WSO2 Identity Server Console as explained below.
Prerequisite¶
To get started, you need to have an application registered in WSO2 Identity Server:
- Register a single-page app with OIDC.
- Register a web app with OIDC.
Use the discovery endpoint¶
OpenID Connect Discovery allows you to discover the metadata such as endpoints, scopes, response types, claims, and supported client authentication methods of identity providers such as WSO2 Identity Server.
Applications can dynamically discover the OpenID Connect identity provider metadata by calling the OpenID Connect discovery endpoint. The structure of the request URL is as follows: <issuer>/.well-known/openid-configuration
.
Issuer of WSO2 Identity Server
https://localhost:9443/oauth2/token
Discovery endpoint of WSO2 Identity Server
https://localhost:9443/oauth2/token/.well-known/openid-configuration
Sample request
curl --location --request GET 'https://localhost:9443/oauth2/token/.well-known/openid-configuration'
var settings = {
"url": "https://localhost:9443/oauth2/token/.well-known/openid-configuration",
"method": "GET",
"timeout": 0,
};
$.ajax(settings).done(function (response) {
console.log(response);
});
var axios = require('axios');
var config = {
method: 'get',
url: 'https://localhost:9443/oauth2/token/.well-known/openid-configuration',
headers: {}
};
axios(config)
.then(function (response) {
console.log(JSON.stringify(response.data));
})
.catch(function (error) {
console.log(error);
});
Sample response
{
"introspection_endpoint" : "https://localhost:9443/oauth2/introspect",
"end_session_endpoint" : "https://localhost:9443/oidc/logout",
"registration_endpoint" : "https://localhost:9443/api/identity/oauth2/dcr/v1.0/register",
"token_endpoint" : "https://localhost:9443/oauth2/token",
"jwks_uri" : "https://localhost:9443/oauth2/jwks",
"revocation_endpoint" : "https://localhost:9443/oauth2/revoke",
"authorization_endpoint" : "https://localhost:9443/oauth2/authorize",
"issuer" : "https://localhost:9443/oauth2/token"
}
Get endpoints from the console¶
Some applications and SDKs are not capable of dynamically resolving endpoints from OpenID Connect discovery. For such applications, you need to configure endpoints manually.
You can get the endpoints from the console as follows:
-
On the WSO2 Identity Server, go to Applications.
-
Select an OIDC application from the list.
-
Go to the Info tab of the application and find the server endpoints to your organization.
What's next?¶
Explore how OpenID Connect endpoints are used when you implement login to your applications:
- Implement login for single-page applications using the authorization code flow with PKCE.
- Implement login for traditional web applications using the authorization code flow.