--- title: OpenID Provider configuration endpoint description: The OpenID Provider (OP) configuration endpoint provides configuration information for the OAuth clients to interface with PingFederate using the OpenID Connect protocol. component: pingfederate version: 13.0 page_id: pingfederate:developers_reference_guide:pf_openid_provider_config_endpoint canonical_url: https://docs.pingidentity.com/pingfederate/13.0/developers_reference_guide/pf_openid_provider_config_endpoint.html revdate: December 4, 2023 section_ids: endpoint-well-knownopenid-configuration: "Endpoint: /.well-known/openid-configuration" example-response: Example response notable-metadata-parameters: Notable metadata parameters related-links: Related links --- # OpenID Provider configuration endpoint The OpenID Provider (OP) configuration endpoint provides configuration information for the OAuth clients to interface with PingFederate using the OpenID Connect protocol. This endpoint returns configuration information that is controlled by a template file and can be customized to suit multiple use cases simultaneously. This public endpoint accepts HTTP GET requests without authentication. ## Endpoint: /.well-known/openid-configuration The following table describes the parameter for this endpoint. | Parameter | Description | | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `policy_id` | Indicates the OpenID Connect policy from which PingFederate derives the attributes to include under `claims_supported` in the response body.If omitted, PingFederate includes the attributes based on the default policy. | ## Example response ```shell $ curl -s https://localhost:9031/.well-known/openid-configuration|python -m json.tool { "authorization_endpoint": "https://localhost:9031/as/authorization.oauth2", "backchannel_authentication_endpoint": "https://localhost:9031/as/bc-auth.ciba", "backchannel_authentication_request_signing_alg_values_supported": [ "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" ], "backchannel_token_delivery_modes_supported": [ "poll", "ping" ], "backchannel_user_code_parameter_supported": true, "code_challenge_methods_supported": [ "plain", "S256" ], "claim_types_supported": [ "normal" ], "claims_parameter_supported": false, "claims_supported": [ "address", "birthdate", "email", "email_verified", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "phone_number", "phone_number_verified", "picture", "preferred_username", "profile", "sub", "updated_at", "website", "zoneinfo" ], "device_authorization_endpoint": "https://localhost:9031/as/device_authz.oauth2", "end_session_endpoint": "https://localhost:9031/idp/init_logout.openid" "grant_types_supported": [ "implicit", "authorization_code", "refresh_token", "password", "client_credentials", "urn:pingidentity.com:oauth2:grant_type:validate_bearer", "urn:ietf:params:oauth:grant-type:jwt-bearer", "urn:ietf:params:oauth:grant-type:saml2-bearer", "urn:ietf:params:oauth:grant-type:device_code", "urn:openid:params:grant-type:ciba" ], "id_token_encryption_alg_values_supported": [ "dir", "A128KW", "A192KW", "A256KW", "A128GCMKW", "A192GCMKW", "A256GCMKW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW", "RSA-OAEP" ], "id_token_encryption_enc_values_supported": [ "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM" ], "id_token_signing_alg_values_supported": [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" ], "introspection_endpoint": "https://localhost:9031/as/introspect.oauth2", "issuer": "https://localhost:9031", "jwks_uri": "https://localhost:9031/pf/JWKS", "ping_end_session_endpoint": "https://localhost:9031/idp/startSLO.ping", "ping_revoked_sris_endpoint": "https://localhost:9031/pf-ws/rest/sessionMgmt/revokedSris", "registration_endpoint": "https://localhost:9031/as/clients.oauth2", "request_object_signing_alg_values_supported": [ "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" ], "request_parameter_supported": true, "request_uri_parameter_supported": false, "response_modes_supported": [ "fragment", "query", "form_post" ], "response_types_supported": [ "code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token" ], "revocation_endpoint": "https://localhost:9031/as/revoke_token.oauth2", "scopes_supported": [ "address", "phone", "edit", "openid", "profile", "admin", "email" ], "subject_types_supported": [ "public", "pairwise" ], "token_endpoint": "https://www.example.com:9031/as/token.oauth2", "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post", "private_key_jwt", "client_secret_jwt" ], "token_endpoint_auth_signing_alg_values_supported": [ "RS256", "RS384", "RS512", "HS256", "HS384", "HS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" ], "userinfo_endpoint": "https://localhost:9031/idp/userinfo.openid" } ``` ## Notable metadata parameters * CIBA user code support The `backchannel_user_code_parameter_supported` parameter indicates whether the default CIBA request policy supports user codes, which are an optional feature in the CIBA specification.In the previous example, because the **User Code PCV** field is configured with a Password Credential Validator instance in the default CIBA request policy, the value of the `backchannel_user_code_parameter_supported` parameter is `true`. For more information, see [OpenID Connect Client Initiated Backchannel Authentication Flow](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html) and [Defining a request policy](../administrators_reference_guide/help_cibapolicymanagementtasklet_cibapolicymanagementstate.html). * Digital signature algorithms The `backchannel_authentication_request_signing_alg_values_supported`, `id_token_signing_alg_values_supported`, `token_endpoint_auth_signing_alg_values_supported`, and `request_object_signing_alg_values_supported` parameters provide lists of supported algorithms to process digital signatures.In this example, because PingFederate is integrated with a hardware security module (HSM) and configured to use static keys for OAuth and OpenID Connect, the endpoint includes additional RSASSA-PSS digital signature algorithms (`PS256`, `PS384`, and `PS512`) in its response. For more information on HSM integration and static keys, see [Supported hardware security modules](../getting_started_with_pingfederate/pf_supported_hardware_security_modules.html) and [Keys for OAuth and OpenID Connect](../administrators_reference_guide/help_jwksendpointtasklet_jwksendpointkeysstate.html), respectively. Deploying PingFederate to run on a Java 8 or a Java 11 environment will have the same result. * JWKS endpoint The JWKS endpoint, `jwks_uri`, returns a set of public keys for OAuth and OpenID Connect. Clients can use this information to verify the integrity of asymmetrically-signed ID tokens, JSON web tokens (JWTs) for client authentication, and OpenID Connect request objects. * Scopes The OP configuration endpoint returns all common static scopes and common scope groups but not exclusive static scopes, exclusive scope groups, common dynamic scopes, or exclusive dynamic scopes by default. The response can be customized by editing a template file to include or exclude individual scopes and scope groups. * Token endpoint The token endpoint, `token_endpoint`, is used by clients to obtain access tokens and refresh tokens if applicable.In the previous example, because the **Token Endpoint Base URL** is set to `https://www.example.com:9031` in the **System > OAuth Settings > Authorization Server Settings** window, the `token_endpoint` value is set to https\://www\.example.com:9031/as/token.oauth2. For more information, see [Configuring authorization server settings](../administrators_reference_guide/help_authorizationserversettingstasklet_oauthauthorizationserversettingsstate.html) and [Token endpoint](pf_token_endpoint.html). ## Related links * [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) * [Configuring OpenID Connect policies](../administrators_reference_guide/pf_configuring_oidc_policies.html) * [Customizing a configuration endpoint response](../administrators_reference_guide/pf_customiz_config_endpoint_response.html) * [OpenID Connect Discovery 1.0 (openid.net/specs/openid-connect-discovery-1\_0.html#ProviderMetadata)](https://openid.net/specs/openid-connect-discovery-1_0.html) * [Customizing a configuration endpoint response](../administrators_reference_guide/pf_customiz_config_endpoint_response.html)