Configure Applications with OIDC Discovery

OpenID Connect (OIDC) Discovery documents contain metadata about the identity provider (IdP). Adding discovery to your SDK to point your application to the ./wellknown endpoint to consume information about your IdP could help configure your integration with the IdP.

Integrating OIDC discovery into your SDK provides:

You can configure applications with the OpenID Connect (OIDC) discovery documents found here: https://{yourDomain}/.well-known/openid-configuration.

Sample response

{
  "issuer": "https://{yourDomain}.us.auth0.com/",
  "authorization_endpoint": "https://{yourDomain}.us.auth0.com/authorize",
  "token_endpoint": "https://{yourDomain}.us.auth0.com/oauth/token",
  "device_authorization_endpoint": "https://{yourDomain}.us.auth0.com/oauth/device/code",
  "userinfo_endpoint": "https://{yourDomain}.us.auth0.com/userinfo",
  "mfa_challenge_endpoint": "https://{yourDomain}.us.auth0.com/mfa/challenge",
  "jwks_uri": "https://{yourDomain}.us.auth0.com/.well-known/jwks.json",
  "registration_endpoint": "https://{yourDomain}.us.auth0.com/oidc/register",
  "revocation_endpoint": "https://{yourDomain}.us.auth0.com/oauth/revoke",
  "scopes_supported": [
    "openid",
    "profile",
    "offline_access",
    "name",
    "given_name",
    "family_name",
    "nickname",
    "email",
    "email_verified",
    "picture",
    "created_at",
    "identities",
    "phone",
    "address"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token"
  ],
  "code_challenge_methods_supported": [
    "S256",
    "plain"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "HS256",
    "RS256",
    "PS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "private_key_jwt"
  ],
  "claims_supported": [
    "aud",
    "auth_time",
    "created_at",
    "email",
    "email_verified",
    "exp",
    "family_name",
    "given_name",
    "iat",
    "identities",
    "iss",
    "name",
    "nickname",
    "phone_number",
    "picture",
    "sub"
  ],
  "request_uri_parameter_supported": false,
  "request_parameter_supported": false,
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "PS256"
  ]
}

Was this helpful?

/

Sample implementation

For example, this is how to configure OIDC middleware for Katana v3 (OWIN):

  1. Install the nuget package: Microsoft.Owin.Security.OpenIdConnect (v3.x.x)

  2. Go to App_Start\Startup.Auth.cs and replace your implementation with the following:

    to configure this snippet with your account
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
    });
    
    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
    {
        Authority = "https://{yourDomain}/",
        ClientId = "{yourClientId}",
        SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
        ResponseType = "token",
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
            // OPTIONAL: you can read/modify the claims that are populated based on the JWT
            SecurityTokenValidated = context =>
            {
                // add Auth0 Access Token as claim
                var accessToken = context.ProtocolMessage.AccessToken;
                if (!string.IsNullOrEmpty(accessToken))
                {
                    context.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", accessToken));
                }
                return Task.FromResult(0);
            }
        }
    });

    Was this helpful?

    /

RSA algorithm for JWTs

The OIDC middleware does not support JWTs signed with symmetric keys. Make sure you configure your app to use the RSA algorithm using public/private keys.

  1. Go to Dashboard > Settings.

  2. Scroll down to Advanced Settings.

  3. Under the OAuth tab, set RS256 as Json Web Token(JWT) Signature Algorithm and click Save.

With this setting, Auth0 will issue JWTs signed with your private signing key. Your app will verify them with your public signing key.

Learn more