OIDC discovery document

OpenID Connect supports a discovery protocol that contains information that you can use to configure your apps and authenticate users such as tokens and public keys.

Calling the endpoint

You can obtain the discovery document and the information that it contains by calling the .well-known endpoint.

Where can I find the endpoint?

You can find the endpoint at the following URL:

https://<region>.appid.cloud.ibm.com/oauth/v4/<tenantID>/.well-known/openid-configuration

Learn more about the available regions.

How do I call the endpoint?

To call the endpoint, you must have a valid tenant ID and you must hardcode the discovery document URI into your application code.

Check out the following sample cURL request:

curl -X GET "https://<region>.appid.cloud.ibm.com/oauth/v4/<tenantID>/.well-known/openid-configuration" -H "accept: application/json"

What can I expect the call to return?

The response that is returned looks similar to the following example:

{
  "issuer": "https://us-south.appid.cloud.ibm.com/oauth/v4/39a37f57-a227-4bfe-a044-93b6e6060b61",
  "authorization_endpoint": "https://us-south.appid.cloud.ibm.com/oauth/v4/39a37f57-a227-4bfe-a044-93b6e6060b61/authorization",
  "token_endpoint": "https://us-south.appid.cloud.ibm.com/oauth/v4/39a37f57-a227-4bfe-a044-93b6e6060b61/token",
  "jwks_uri": "https://us-south.appid.cloud.ibm.com/oauth/v4/39a37f57-a227-4bfe-a044-93b6e6060b61/publickeys",
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "userinfo_endpoint": "https://us-south.appid.cloud.ibm.com/oauth/v4/39a37f57-a227-4bfe-a044-93b6e6060b61/userinfo",
  "scopes_supported": [
    "openid"
  ],
  "response_types_supported": [
    "code"
  ],
  "claims_supported": [
    "iss",
    "aud",
    "exp",
    "tenant",
    "iat",
    "sub",
    "nonce",
    "amr",
    "oauth_client"
  ],
  "grant_types_supported": [
    "authorization_code",
    "password",
    "refresh_token",
    "client_credentials",
    "urn:ietf:params:oauth:grant-type:jwt-bearer"
  ],
  "profiles_endpoint": "https://us-south.appid.cloud.ibm.com",
  "management_endpoint": "https://us-south.appid.cloud.ibm.com/management/v4/39a37f57-a227-4bfe-a044-93b6e6060b61",
  "service_documentation": "https://cloud.ibm.com/docs/appid?topic=appid-getting-started"
}

Table 1. The descriptions of components
Component	Description
`issuer`	The location of the OIDC provider.
`authorization_endpoint`	The URL of the App ID OAuth 2.0 authorization endpoint.
`token_endpoint`	The URL of the App ID OAuth 2.0 token endpoint.
`jwks_uri`	The URL of the App ID web key set document.
`subject_types_supported`	A JSON array that contains a list of the subject identifier types that App ID supports.
`id_token_signing_alg_values_supported`	A JSON array that contains a list of the JWS signing algorithms that the App ID server supports.
`userinfo_endpoint`	The URL of the App ID `/userinfo` endpoint.
`scopes_supported`	A JSON array that contains a list of the OAuth 2.0 scope values that App ID supports.
`response_types_supported`	A JSON array that contains a list of the OAuth 2.0 response_type values that App ID supports.
`claims_supported`	A JSON array that contains a list of the claim names.
`grant_types_supported`	A JSON array that contains a list of the OAuth 2.0 grant type values that App ID supports.
`profiles_endpoint`	The URL of the App ID user profile endpoint.