> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to use OpenID Connect (OIDC) discovery to configure applications with Auth0 using SDKs.

# Configure Applications with OIDC Discovery

export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
  const [displayText, setDisplayText] = useState(children);
  const [copyText, setCopyText] = useState(children);
  const wrapperRef = React.useRef(null);
  useEffect(() => {
    let unsubscribe = null;
    function init() {
      if (!window.autorun || !window.rootStore) {
        return;
      }
      unsubscribe = window.autorun(() => {
        let processedChildrenForDisplay = children;
        let processedChildrenForCopy = children;
        for (const [key, value] of window.rootStore.variableStore.values.entries()) {
          const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
          let displayValue = value;
          if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
            displayValue = value.substring(0, 3) + "*****MASKED*****";
          }
          processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
          processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
        }
        setDisplayText(processedChildrenForDisplay);
        setCopyText(processedChildrenForCopy);
      });
    }
    if (window.rootStore) {
      init();
    } else {
      window.addEventListener("adu:storeReady", init);
    }
    return () => {
      window.removeEventListener("adu:storeReady", init);
      unsubscribe?.();
    };
  }, [children]);
  useEffect(() => {
    if (!wrapperRef.current) return;
    const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
    let isOverriding = false;
    const handleClick = e => {
      const button = e.target.closest('[data-testid="copy-code-button"]');
      if (!button || !wrapperRef.current.contains(button)) return;
      isOverriding = true;
      navigator.clipboard.writeText = text => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
          return originalWriteText(copyText);
        }
        return originalWriteText(text);
      };
      setTimeout(() => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
        }
      }, 100);
    };
    const wrapper = wrapperRef.current;
    wrapper.addEventListener('click', handleClick, true);
    return () => {
      wrapper.removeEventListener('click', handleClick, true);
      if (navigator.clipboard.writeText !== originalWriteText) {
        navigator.clipboard.writeText = originalWriteText;
      }
    };
  }, [copyText]);
  return <div ref={wrapperRef}>
      <CodeBlock filename={filename} icon={icon} language={language} lines highlight={highlight}>
        {displayText}
      </CodeBlock>
    </div>;
};

[OpenID Connect (OIDC) Discovery](https://openid.net/specs/openid-connect-discovery-1_0-final.html#RFC5785) documents contain metadata about the <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=identity+provider">identity provider</Tooltip> (IdP). Adding discovery to your SDK to point your application to the `./wellknown` endpoint to consume information about your IdP could help configure your integration with the IdP.

Integrating OIDC discovery into your SDK provides:

* Exposed endpoints of the IdP
* Standard [OIDC supported claims and scope](/docs/get-started/apis/scopes/openid-connect-scopes) (this excludes [custom claims](/docs/secure/tokens/json-web-tokens/create-custom-claims) and scopes defined in your tenant)
* Features supported by the IdP

You can configure applications with the [OpenID Connect (OIDC)](https://openid.net/specs/openid-connect-discovery-1_0.html) discovery documents found at: `https://{yourDomain}/.well-known/openid-configuration`.

### Sample response

export const codeExample1 = `{
  "issuer": "https://{yourDomain}.us.auth0.com/",
  "authorization_endpoint": "https://{yourDomain}.us.auth0.com/authorize",
  "token_endpoint": "https://{yourDomain}.us.auth0.com/oauth/token",
  "device_authorization_endpoint": "https://{yourDomain}.us.auth0.com/oauth/device/code",
  "userinfo_endpoint": "https://{yourDomain}.us.auth0.com/userinfo",
  "mfa_challenge_endpoint": "https://{yourDomain}.us.auth0.com/mfa/challenge",
  "jwks_uri": "https://{yourDomain}.us.auth0.com/.well-known/jwks.json",
  "registration_endpoint": "https://{yourDomain}.us.auth0.com/oidc/register",
  "revocation_endpoint": "https://{yourDomain}.us.auth0.com/oauth/revoke",
  "scopes_supported": [
    "openid",
    "profile",
    "offline_access",
    "name",
    "given_name",
    "family_name",
    "nickname",
    "email",
    "email_verified",
    "picture",
    "created_at",
    "identities",
    "phone",
    "address"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token"
  ],
  "code_challenge_methods_supported": [
    "S256",
    "plain"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "HS256",
    "RS256",
    "PS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "private_key_jwt"
  ],
  "claims_supported": [
    "aud",
    "auth_time",
    "created_at",
    "email",
    "email_verified",
    "exp",
    "family_name",
    "given_name",
    "iat",
    "identities",
    "iss",
    "name",
    "nickname",
    "phone_number",
    "picture",
    "sub"
  ],
  "request_uri_parameter_supported": false,
  "request_parameter_supported": false,
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "PS256"
    "PS384",
    "ES256",
    "ES384"
  ]
}`;

<AuthCodeBlock children={codeExample1} language="json" />

### Sample implementation

For example, this is how to configure OIDC middleware for Katana v3 (OWIN):

1. Install the nuget package: **Microsoft.Owin.Security.OpenIdConnect** (v3.x.x)
2. Go to `App_Start\Startup.Auth.cs` and replace your implementation with the following:

export const codeExample2 = `   app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
});

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = "https://{yourDomain}/",
    ClientId = "{yourClientId}",
    SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
    ResponseType = "token",
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        // OPTIONAL: you can read/modify the claims that are populated based on the JWT
        SecurityTokenValidated = context =>
        {
            // add Auth0 Access Token as claim
            var accessToken = context.ProtocolMessage.AccessToken;
            if (!string.IsNullOrEmpty(accessToken))
            {
                context.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", accessToken));
            }
            return Task.FromResult(0);
        }
    }
});
`;

<AuthCodeBlock children={codeExample2} language="text" />

## RSA algorithm for JWTs

The OIDC middleware does not support <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWTs">JWTs</Tooltip> signed with symmetric keys. Make sure you configure your app to use the RSA algorithm using public/private keys.

1. Go to [Dashboard > Settings](https://manage.auth0.com/#/applications/\{YOUR_AUTH0_CLIENT_ID}/settings).
2. Scroll down to **Advanced Settings**.
3. Under the **OAuth** tab, set `RS256` as **Json Web Token(JWT) Signature Algorithm** and click **Save**.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  If you have an OIDC Enterprise Connection, you can choose from [additional signing algorithms](/docs/authenticate/enterprise-connections/private-key-jwt-client-auth#configure-private-key-jwt-client-authentication) for Private Key JWT.
</Callout>

With this setting, Auth0 will issue JWTs signed with your private signing key. Your app will verify them with your public signing key.

## Configure applications with OAuth 2.0 Authorization Server Metadata

If your application or SDK references the [OAuth RFC-8414](https://www.rfc-editor.org/rfc/rfc8414) <Tooltip tip="Authorization Server: Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user." cta="View Glossary" href="/docs/glossary?term=Authorization+Server">Authorization Server</Tooltip> Metadata specification, you can use the <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=OAuth">OAuth</Tooltip> alias to fetch metadata about the IdP: `/.well-known/oauth-authorization-server`. For example, the [Auth0 Model Context Protocol Server](/docs/get-started/auth0-mcp-server) recommends all OAuth applications reference the OAuth Authorization Server Metadata specification.

## Learn more

* [JSON Web Tokens](/docs/secure/tokens/json-web-tokens)
* [Create Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims)