Configure Applications with OIDC Discovery
OpenID Connect (OIDC) Discovery documents contain metadata about the identity provider (IdP). Adding discovery to your SDK to point your application to the ./wellknown endpoint to consume information about your IdP could help configure your integration with the IdP.
Integrating OIDC discovery into your SDK provides:
Exposed endpoints of the IdP
Standard OIDC supported claims and scope (this excludes custom claims and scopes defined in your tenant)
Features supported by the IdP
You can configure applications with the OpenID Connect (OIDC) discovery documents found at: https://{yourDomain}/.well-known/openid-configuration.
Sample response
{
"issuer": "https://{yourDomain}.us.auth0.com/",
"authorization_endpoint": "https://{yourDomain}.us.auth0.com/authorize",
"token_endpoint": "https://{yourDomain}.us.auth0.com/oauth/token",
"device_authorization_endpoint": "https://{yourDomain}.us.auth0.com/oauth/device/code",
"userinfo_endpoint": "https://{yourDomain}.us.auth0.com/userinfo",
"mfa_challenge_endpoint": "https://{yourDomain}.us.auth0.com/mfa/challenge",
"jwks_uri": "https://{yourDomain}.us.auth0.com/.well-known/jwks.json",
"registration_endpoint": "https://{yourDomain}.us.auth0.com/oidc/register",
"revocation_endpoint": "https://{yourDomain}.us.auth0.com/oauth/revoke",
"scopes_supported": [
"openid",
"profile",
"offline_access",
"name",
"given_name",
"family_name",
"nickname",
"email",
"email_verified",
"picture",
"created_at",
"identities",
"phone",
"address"
],
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token"
],
"code_challenge_methods_supported": [
"S256",
"plain"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"HS256",
"RS256",
"PS256"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"private_key_jwt"
],
"claims_supported": [
"aud",
"auth_time",
"created_at",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"identities",
"iss",
"name",
"nickname",
"phone_number",
"picture",
"sub"
],
"request_uri_parameter_supported": false,
"request_parameter_supported": false,
"token_endpoint_auth_signing_alg_values_supported": [
"RS256",
"RS384",
"PS256"
]
}Was this helpful?
Sample implementation
For example, this is how to configure OIDC middleware for Katana v3 (OWIN):
Install the nuget package: Microsoft.Owin.Security.OpenIdConnect (v3.x.x)
Go to
App_Start\Startup.Auth.csand replace your implementation with the following:codeblockOld.header.login.configureSnippetapp.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = CookieAuthenticationDefaults.AuthenticationType }); app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { Authority = "https://{yourDomain}/", ClientId = "{yourClientId}", SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType, ResponseType = "token", Notifications = new OpenIdConnectAuthenticationNotifications { // OPTIONAL: you can read/modify the claims that are populated based on the JWT SecurityTokenValidated = context => { // add Auth0 Access Token as claim var accessToken = context.ProtocolMessage.AccessToken; if (!string.IsNullOrEmpty(accessToken)) { context.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", accessToken)); } return Task.FromResult(0); } } });Was this helpful?
/
RSA algorithm for JWTs
The OIDC middleware does not support JWTs signed with symmetric keys. Make sure you configure your app to use the RSA algorithm using public/private keys.
Go to Dashboard > Settings.
Scroll down to Advanced Settings.
Under the OAuth tab, set
RS256as Json Web Token(JWT) Signature Algorithm and click Save.
With this setting, Auth0 will issue JWTs signed with your private signing key. Your app will verify them with your public signing key.
Configure applications with OAuth 2.0 Authorization Server Metadata
If your application or SDK references the OAuth RFC-8414 Authorization Server Metadata specification, you can use the OAuth alias to fetch metadata about the IdP: /.well-known/oauth-authorization-server. For example, the Auth0 Model Context Protocol Server recommends all OAuth applications reference the OAuth Authorization Server Metadata specification.