The OpenID Provider (OP) configuration endpoint provides configuration information for the OAuth clients to interface with PingFederate using the OpenID Connect protocol. The configuration information returned by this endpoint is controlled by a template file and can be customized to suit multiple use cases simultaneously.

Note:

This endpoint is only active when the OAuth AS role and the OpenID Connect protocol are enabled on the System > Protocol Settings > Roles & Protocols screen.

Note:

This public endpoint accepts HTTP GET requests without authentication.

Endpoint: /.well-known/openid-configuration

The following table describes parameter for this endpoint.

Parameter Description
policy_id Indicates the OpenID Connect policy from which PingFederate derives the attributes to be included in the response body (under claims_supported).

If omitted, PingFederate includes the attributes based on the default policy.

Sample response
$ curl -s https://localhost:9031/.well-known/openid-configuration|python -m json.tool
{
    "authorization_endpoint": "https://localhost:9031/as/authorization.oauth2",
    "backchannel_authentication_endpoint": "https://localhost:9031/as/bc-auth.ciba",
    "backchannel_authentication_request_signing_alg_values_supported": [
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "PS256",
        "PS384",
        "PS512"
    ],
    "backchannel_token_delivery_modes_supported": [
        "poll",
        "ping"
    ],
    "backchannel_user_code_parameter_supported": true,
    "claim_types_supported": [
        "normal"
    ],
    "claims_parameter_supported": false,
    "claims_supported": [
        "address",
        "birthdate",
        "email",
        "email_verified",
        "family_name",
        "gender",
        "given_name",
        "locale",
        "middle_name",
        "name",
        "nickname",
        "phone_number",
        "phone_number_verified",
        "picture",
        "preferred_username",
        "profile",
        "sub",
        "updated_at",
        "website",
        "zoneinfo"
    ],
    "device_authorization_endpoint": "https://localhost:9031/as/device_authz.oauth2",
    "grant_types_supported": [
        "implicit",
        "authorization_code",
        "refresh_token",
        "password",
        "client_credentials",
        "urn:pingidentity.com:oauth2:grant_type:validate_bearer",
        "urn:ietf:params:oauth:grant-type:jwt-bearer",
        "urn:ietf:params:oauth:grant-type:saml2-bearer",
        "urn:ietf:params:oauth:grant-type:device_code",
        "urn:openid:params:grant-type:ciba"
    ],
    "id_token_encryption_alg_values_supported": [
        "dir",
        "A128KW",
        "A192KW",
        "A256KW",
        "A128GCMKW",
        "A192GCMKW",
        "A256GCMKW",
        "ECDH-ES",
        "ECDH-ES+A128KW",
        "ECDH-ES+A192KW",
        "ECDH-ES+A256KW",
        "RSA-OAEP"
    ],
    "id_token_encryption_enc_values_supported": [
        "A128CBC-HS256",
        "A192CBC-HS384",
        "A256CBC-HS512",
        "A128GCM",
        "A192GCM",
        "A256GCM"
    ],
    "id_token_signing_alg_values_supported": [
        "none",
        "HS256",
        "HS384",
        "HS512",
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "PS256",
        "PS384",
        "PS512"
    ],
    "introspection_endpoint": "https://localhost:9031/as/introspect.oauth2",
    "issuer": "https://localhost:9031",
    "jwks_uri": "https://localhost:9031/pf/JWKS",
    "ping_end_session_endpoint": "https://localhost:9031/idp/startSLO.ping",
    "ping_revoked_sris_endpoint": "https://localhost:9031/pf-ws/rest/sessionMgmt/revokedSris",
    "registration_endpoint": "https://localhost:9031/as/clients.oauth2",
    "request_object_signing_alg_values_supported": [
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "PS256",
        "PS384",
        "PS512"
    ],
    "request_parameter_supported": true,
    "request_uri_parameter_supported": false,
    "response_modes_supported": [
        "fragment",
        "query",
        "form_post"
    ],
    "response_types_supported": [
        "code",
        "token",
        "id_token",
        "code token",
        "code id_token",
        "token id_token",
        "code token id_token"
    ],
    "revocation_endpoint": "https://localhost:9031/as/revoke_token.oauth2",
    "scopes_supported": [
        "address",
        "phone",
        "edit",
        "openid",
        "profile",
        "admin",
        "email"
    ],
    "subject_types_supported": [
        "public",
        "pairwise"
    ],
    "token_endpoint": "https://www.example.com:9031/as/token.oauth2",
    "token_endpoint_auth_methods_supported": [
        "client_secret_basic",
        "client_secret_post",
        "private_key_jwt"
    ],
    "token_endpoint_auth_signing_alg_values_supported": [
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "PS256",
        "PS384",
        "PS512"
    ],
    "userinfo_endpoint": "https://localhost:9031/idp/userinfo.openid"
}

Some notable metadata parameters

CIBA user code support
The backchannel_user_code_parameter_supported parameter indicates whether the default CIBA request policy supports user codes, an optional feature in the CIBA specification.
In this example, because the User Code PCV field is configured with a Password Credential Validator instance in the default CIBA request policy, the value of the backchannel_user_code_parameter_supported parameter is true. For more information, see OpenID Connect Client Initiated Backchannel Authentication Flow (openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html) and Defining a request policy.
Digital signature algorithms
The backchannel_authentication_request_signing_alg_values_supported, id_token_signing_alg_values_supported, token_endpoint_auth_signing_alg_values_supported, and request_object_signing_alg_values_supported parameters provide lists of supported algorithms to process digital signatures.
In this example, because PingFederate is integrated with a hardware security module (HSM) and configured to use static keys for OAuth and OpenID Connect, the endpoint includes additional RSASSA-PSS digital signature algorithms (PS256, PS384, and PS512) in its response. (For more information on HSM integration and static keys, see Supported hardware security modules and Managing keys for OAuth and OpenID Connect, respectively.) Note that deploying PingFederate to run on a Java 11 environment will also have the same effect.
JWKS endpoint
The JWKS endpoint (jwks_uri) returns a set of public keys for OAuth and OpenID Connect. Clients can use this information to verify the integrity of asymmetrically-signed ID tokens, JWTs for client authentication, and OpenID Connect request objects
Scopes
The OP configuration endpoint returns all common static scopes and common scope groups but not exclusive static scopes, exclusive scope groups, common dynamic scopes, or exclusive dynamic scopes by default. As needed, the response can be customized by editing a template file to include or exclude individual scopes and scope groups.
Token endpoint
The token endpoint (token_endpoint) is used by clients to obtain access tokens and refresh tokens (if applicable).
In this example, because the Token Endpoint Base URL is set to https://www.example.com:9031 on the OAuth Server > Authorization Server Settings screen, the token_endpoint parameter value is set to https://www.example.com:9031/as/token.oauth2 (see Configuring AS settings and Token endpoint).