Discovery定義了一個服務發現的規范,它定義了一個api( /.well-known/openid-configuration ),這個api返回一個json數據結構,其中包含了一些OIDC中提供的服務以及其支持情況的描述信息,這樣可以使得oidc服務的RP可以不再硬編碼OIDC服務接口信息。這個api返回的示例信息如下(這里面只是一部分)。
{ //發行網址,也就是說我們的權限驗證站點。 "issuer": "https://localhost:44330", //發行網址,也就是說我們的權限驗證站點。 "jwks_uri": "https://localhost:44330/.well-known/openid-configuration/jwks", //授權服務器的授權端點的URL。 "authorization_endpoint": "https://localhost:44330/connect/authorize", //獲取token的網址 "token_endpoint": "https://localhost:44330/connect/token", //根據token獲取用戶信息 "userinfo_endpoint": "https://localhost:44330/connect/userinfo", //登錄注銷。 "end_session_endpoint": "https://localhost:44330/connect/endsession", //客戶端對check_session_iframe執行監視,可以獲取用戶的登出狀態。 "check_session_iframe": "https://localhost:44330/connect/checksession", //這個網址允許撤銷訪問令牌(僅access tokens 和reference tokens)。它實現了令牌撤銷規范(RFC 7009)。 "revocation_endpoint": "https://localhost:44330/connect/revocation", //introspection_endpoint是RFC 7662的實現。 它可以用於驗證reference tokens(或如果消費者不支持適當的JWT或加密庫,則JWTs)。 "introspection_endpoint": "https://localhost:44330/connect/introspect", "device_authorization_endpoint": "https://localhost:44330/connect/deviceauthorization", //可選。基於前端的注銷機制。 "frontchannel_logout_supported": true, //可選。基於session的注銷機制。 "frontchannel_logout_session_supported": true, //指示OP支持后端通道注銷 "backchannel_logout_supported": true, //可選的。指定RP是否需要在注銷令牌中包含sid(session ID)聲明,以在使用backchannel_logout_uri時用OP標識RP會話。如果省略,默認值為false。 "backchannel_logout_session_supported": true, //支持的范圍 "scopes_supported": [ "openid", "profile", "email", "address", "phone", "role", "Open", "offline_access" ], //支持的claims "claims_supported": [ "sub", "birthdate", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo", "email", "email_verified", "address", "phone_number", "phone_number_verified", "role" ], //授權類型 "grant_types_supported": [ "authorization_code", "client_credentials", "refresh_token", "implicit", "password", "urn:ietf:params:oauth:grant-type:device_code" ], "response_types_supported": [ "code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token" ], "response_modes_supported": [ "form_post", "query", "fragment" ], "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ], "id_token_signing_alg_values_supported": [ "RS256" ], "subject_types_supported": [ "public" ], "code_challenge_methods_supported": [ "plain", "S256" ], "request_parameter_supported": true }