...
Define the Endpoint:
- The endpoint is defined under the following path:
.well-known/openid-federation
- The endpoint is defined under the following path:
Implementation:
- Ensure this endpoint serves the issuer’s metadata as specified in the OIDC Federation 1.0 standard.
Example Metadata: Here is an example of metadata that can be exposed at the endpoint:
Code Block language js collapse true { "sub": "https://satosamy-issuer.example.com:8000", "metadata": { "federation_entity": { "organization_name": "The OP operator", "contacts": "operations@op.example.com" }, "oauth_authorization_server": { "jwks_uri": "https://satosamy-issuer.example.com:8000/jwks/oauth_authorization_server", "token_endpoint_auth_methods_supported": [], "token_endpoint_auth_signing_alg_values_supported": [ "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "HS256", "HS384", "HS512", "Ed25519", "Ed448", "EdDSA" ], "response_types_supported": [ "code" ], "response_modes_supported": [ "code" ], "acr_values_supported": [], "scopes_supported": [], "authorization_signing_alg_values_supported": [ "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "HS256", "HS384", "HS512", "Ed25519", "Ed448", "EdDSA" ], "request_object_signing_alg_values_supported": [ "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "HS256", "HS384", "HS512", "Ed25519", "Ed448", "EdDSA" ], "claims_parameter_supported": true, "request_parameter_supported": true, "request_object_encryption_alg_values_supported": [], "request_object_encryption_enc_values_supported": [], "code_challenge_methods_supported": [ "plain", "S256", "S384", "S512" ], "deny_unknown_scopes": false, "ui_locales_supported": [], "token_endpoint": "https://satosamy-issuer.example.com:8000/token", "token_endpoint_auth_methods": [ "attest_jwt_client_auth" ], "authorization_endpoint": "https://satosamy-issuer.example.com:8000/authorization", "authorization_endpoint_auth_methods": [ "pushed_authz" ], "pushed_authorization_request_endpoint": "https://satosamy-issuer.example.com:8000/par", "pushed_authorization_request_endpoint_auth_methods": [ "attest_jwt_client_auth" ] }, "openid_credential_issuer": { "attribute_disclosure": { "": [ "given_name", "family_name", "name", "email", "nickname" ] }, "credential_configurations_supported": { "PDA1Credential": { "format": "vc+sd-jwt", "id": "eudiw.pda1.se", "cryptographic_binding_methods_supported": [ "jwk" ], "cryptographic_suites_supported": [ "RS256", "RS512", "ES256", "ES512" ], "display": { "name": "Swedish PDA1 Provider Example", "locale": "en-US" }, "vct": "PDA1Credential", "credential_definition": { "type": [ "PDA1Credential" ], "credentialSubject": { "family_name": { "display": [ { "locale": "en-US", "name": "Current Family Name" } ], "mandatory": true }, "given_name": { "display": [ { "locale": "en-US", "name": "Current First Name" } ], "mandatory": true }, "birth_date": { "display": [ { "locale": "en-US", "name": "Birth date" } ] } } } }, "EHICCredential": { "format": "vc+sd-jwt", "id": "eudiw.ehic.se", "cryptographic_binding_methods_supported": [ "jwk" ], "cryptographic_suites_supported": [ "RS256", "RS512", "ES256", "ES512" ], "display": { "name": "Swedish EHIC Provider Example", "locale": "en-US" }, "vct": "EHICCredential", "credential_definition": { "type": [ "EHICCredential" ], "credentialSubject": { "family_name": { "display": [ { "locale": "en-US", "name": "Current Family Name" } ], "mandatory": true }, "given_name": { "display": [ { "locale": "en-US", "name": "Current First Name" } ], "mandatory": true }, "birth_date": { "display": [ { "locale": "en-US", "name": "Birth date" } ] } } } } }, "jwks": { "keys": [ { "kty": "RSA", "use": "sig", "kid": "ODR1b1ZjUEpsRzVhVHBSaWxLR1hxQ2x3WTU2ZVFDcnVsMXBmdEF5WUM4UQ", "e": "AQAB", "n": "vqLXJgOHZn7YFqL78Kth6vP..." }, { "kty": "EC", "use": "sig", "kid": "YzIwZjJEaFJxU0NOLXJ5MS1mSXgyLUp5RWNZb3I4M1lRMDVhQWxMUjhsZw", "crv": "P-256", "x": "FdYslsTybViEudE4T-gyBrcKeZNleH9-QajFYVpOYW8", "y": "If-rr6KWEEnC_R8N93SrcQRn4E7lC4WXOqgANj-o0UE" }, { "kty": "EC", "kid": "default_signing_key_id", "crv": "P-256", "x": "-i8_UtCwdCic10eDuNwr68IEHWk4B1HSn119fdNT-pQ", "y": "UIMFXTj4kOWF2gZaKDTP3n3K-08TfkLHw8hIV6bOxqw" }, { "kty": "EC", "kid": "default_signing_key_id", "crv": "P-256", "x": "-i8_UtCwdCic10eDuNwr68IEHWk4B1HSn119fdNT-pQ", "y": "UIMFXTj4kOWF2gZaKDTP3n3K-08TfkLHw8hIV6bOxqw" } ] }, "credential_response_encryption_alg_values_supported": [ "RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW" ], "credential_response_encryption_enc_values_supported": [ "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM" ], "require_credential_response_encryption": false, "credentials_supported": [ "vp_token" ], "credential_endpoint": "https://satosamy-issuer.example.com:8000/credential", "credential_endpoint_auth_methods": [ "dpop_client_auth" ] } }, "authority_hints": [ "https://trust-anchor.example.com:7001" ], "trust_marks": [ "eyJhbGciOiJSUzI1Ni...", "eyJhbGciOiJSUzI1N..." ], "jwks": { "keys": [ { "kty": "RSA", "use": "sig", "kid": "VmhPQndmVDNja09ZYTQ4UlM3eWl2Z3BxMlp1cVd1ZFB1YnhwdWUxa3p4Zw", "e": "AQAB", "n": "y68Zlt9DHIXHvH3HMFtY..." }, { "kty": "EC", "use": "sig", "kid": "dTlESU50RVVjVDA3eWFPV0dMQ2taMC0tbDlWclBjQTBUdkpyNlVhSVBfOA", "crv": "P-256", "x": "IqpTNpOAXTsQVVlO18zzAV1rHI36qBvZv7VbdtniV-c", "y": "JozJQWmYCkvxD4PtUnr6sKXRL8SOj7ggx6WHzQxHgaw" } ] }, "iss": "https://satosamy-issuer.example.com:8000", "iat": 1732718163, "exp": 1732804563 }
...