--- title: /uma/.well-known/uma2-configuration description: AM exposes an endpoint for discovering information about the UMA provider configuration. component: pingam version: 8.1 page_id: pingam:uma:endpoint-configuration canonical_url: https://docs.pingidentity.com/pingam/8.1/uma/endpoint-configuration.html keywords: ["User-Managed Access (UMA)", "Endpoints", "Configuration"] page_aliases: ["uma-guide:endpoint-configuration.adoc"] --- # /uma/.well-known/uma2-configuration AM exposes an endpoint for discovering information about the UMA provider configuration. A resource server or client can send an HTTP GET request to `/uma/.well-known/uma2-configuration` to retrieve a JSON object that shows the UMA configuration. When making a REST API call, specify the realm in the path component of the endpoint. You must specify the entire hierarchy of the realm, starting at the Top Level Realm. Prefix each realm in the hierarchy with the `realms/` keyword. For example, `/realms/root/realms/customers/realms/europe`. The following is an example of a GET request to the UMA 2.0 configuration discovery endpoint for a subrealm named `subrealm` in the Top Level Realm: ```bash $ curl \ --request GET \ "https://am.example.com:8443/am/uma/realms/root/realms/alpha/.well-known/uma2-configuration" { "issuer": "https://am.example.com:8443/am/oauth2/subrealm", "grant_types_supported": [ "urn:ietf:params:oauth:grant-type:saml2-bearer", "urn:ietf:params:oauth:grant-type:uma-ticket", "client_credentials", "password", "authorization_code", "urn:ietf:params:oauth:grant-type:device_code", "http://oauth.net/grant_type/device/1.0" ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "private_key_jwt", "client_secret_basic" ], "revocation_endpoint_auth_methods_supported": [ "client_secret_post", "private_key_jwt", "client_secret_basic" ], "response_types_supported": [ "code token id_token", "code", "code id_token", "device_code", "id_token", "code token", "token", "token id_token" ], "jwks_uri": "https://am.example.com:8443/am/oauth2/realms/root/realms/alpha/connect/jwk_uri", "dynamic_client_endpoint": "https://am.example.com:8443/am/oauth2/realms/root/realms/alpha/register", "token_endpoint": "https://am.example.com:8443/am/oauth2/realms/root/realms/alpha/access_token", "authorization_endpoint": "https://am.example.com:8443/am/oauth2/realms/root/realms/alpha/authorize", "revocation_endpoint": "https://am.example.com:8443/am/oauth2/realms/root/realms/alpha/token/revoke", "introspection_endpoint": "https://am.example.com:8443/am/oauth2/realms/root/realms/alpha/introspect", "resource_registration_endpoint": "https://am.example.com:8443/am/uma/realms/root/realms/alpha/resource_set", "permission_endpoint": "https://am.example.com:8443/am/uma/realms/root/realms/alpha/permission_request" } ``` The JSON object returned includes the following configuration information: * `issuer` The URI of the issuing authorization server. * `grant_types_supported` The supported OAuth 2.0 grant types. * `token_endpoint` The URI to request tokens. * `authorization_endpoint` The URI to request authorization for issuing a token. * `introspection_endpoint` The URI to introspect an RPT. For more information, see [/oauth2/introspect](../am-oauth2/oauth2-introspect-endpoint.html). * `resource_registration_endpoint` The URI for a resource server to register a resource. For more information, see [/uma/resource\_set](endpoint-resource_set.html). * `dynamic_client_endpoint` The URI for registering a dynamic client. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Resource servers and clients need to be able to discover the UMA provider for a resource owner. You should consider redirecting requests to URIs at the server root, such as `https://www.example.com/.well-known/uma2-configuration`, to the well-known URIs in AM's space.For example, if your UMA provider is in a subrealm named `subrealm`, you could map the following URI: `https://www.example.com:8080/openam/uma/realms/root/realms/subrealm/.well-known/uma2-configuration`.AM supports a provider service that lets a realm have a configured option for obtaining the base URL (including protocol) for components that need to return a URL to the client. This service is used to provide the URL base that is used in the `.well-known` endpoints used in OpenID Connect 1.0 and UMA.For more information, see [Configuring the Base URL Source Service](../security/reverse-proxy.html#configure-base-url-source). |