...
- /oauth2/auth or /oauth2/authorize - OpenID Connect Auth endpoint (the two are just different names for the same).
- /oauth2/token - OpenID Connect Token endpoint.
- /oauth2/userinfo - OpenID Connect Userinfo endpoint - requires previously issued access-token as bearer token to call it.
- /oauth2/jwks.json . OpenID Connect JWK key list endpoint.
- /oauth2/confirm - Called to confirm the user's consent to redirect back to the resource provider.
- /oauth2/reject - Called if the user rejects consent, and will result in the user being redirected back to the resource provider with an error message instead of his id_token.
- /oauth2/introspect - OAuth2 introspection endpoint - see https://tools.ietf.org/html/rfc7662 for info. (Requires v5.70.3 or higher).
- /oauth2/revoke - OAuth2 token revocation endpoint - see https://tools.ietf.org/html/rfc7009 for info. (Requires v5.70.3 or higher).
The endpoints depend on configuration for JWT/OpenID Connect tokens, which is documented here: JWT / OpenID Connect
...
Code Block |
---|
{ "response.contenttype": "application/json;charset=UTF8", "location.enabled": true, "content.preload": false, "description": "Discovery URL for OpenID Connect configuration", "session.override": false, "response.reason": "OK", "cookiesnapper": {}, "plugin": {}, "valid.methods": "GET", "session.needed": false, "response.compress": false, "name": "OpenID Connect IDP Configuration", "conditions.type": "and", "action": "respond", "conditions": [ { "deny": false, "values": ["/.well-known/openid-configuration"], "type": "path" }, { "deny": false, "values": ["https"], "type": "scheme" }, { "deny": false, "values": ["GET"], "type": "method" } ], "response.status": 200, "response.content": "{\r\n \"issuer\": \"https://test.portalprotect.dk\",\r\n \"authorization_endpoint\": \"https://%{HTTP_HOST}/oauth2/auth\",\r\n \"token_endpoint\": \"https://%{HTTP_HOST}/oauth2/token\",\r\n \"userinfo_endpoint\": \"https://%{HTTP_HOST}/oauth2/userinfo\",\r\n \"end_session_endpoint\": \"https://%{HTTP_HOST}/oauth2/logout\",\r\n \"jwks_uri\": \"https://%{HTTP_HOST}/oauth2/jwks.json\",\r\n \"scopes_supported\": [\"openid\", \"profile\", \"email\", \"address\", \"phone\"],\r\n \"response_types_supported\": [\"code\", \"code id_token\", \"id_token\", \"token id_token\"],\r\n \"subject_types_supported\": [\"public\", \"pairwise\"],\r\n \"userinfo_signing_alg_values_supported\": [\"RS256\", \"ES256\", \"HS256\"],\r\n \"id_token_signing_alg_values_supported\": [\"RS256\", \"ES256\", \"HS256\"],\r\n \"claims_supported\": [\"sub\", \"iss\", \"auth_time\", \"acr\", \"name\", \"given_name\", \"family_name\", \"nickname\", \"profile\", \"picture\", \"website\", \"email\", \"email_verified\", \"locale\"],\r\n \"grant_types_supported\": [\"authorization_code\", \"implicit\", \"refresh_token\"],\r\n \"token_endpoint_auth_methods_supported\": [\"client_secret_post\", \"client_secret_basic\"]\r\n}" }, |
Example JSON
...
Configuration for OAuth2 Locations
Below, is an example of a location configuration you can cut'n paste into the Gateway Configuration. This is provided as a location with several nested locations - all capable of handling the various OAuth2 / OpenID Connect endpoints without requiring separate applications.
...