Discovery定义了一个服务发现的规范,它定义了一个api( /.well-known/openid-configuration ),这个api返回一个json数据结构,其中包含了一些OIDC中提供的服务以及其支持情况的描述信息,这样可以使得oidc服务的RP可以不再硬编码OIDC服务接口信息。这个api返回的示例信息如下(这里面只是一部分)。
{ //发行网址,也就是说我们的权限验证站点。 "issuer": "https://localhost:44330", //发行网址,也就是说我们的权限验证站点。 "jwks_uri": "https://localhost:44330/.well-known/openid-configuration/jwks", //授权服务器的授权端点的URL。 "authorization_endpoint": "https://localhost:44330/connect/authorize", //获取token的网址 "token_endpoint": "https://localhost:44330/connect/token", //根据token获取用户信息 "userinfo_endpoint": "https://localhost:44330/connect/userinfo", //登录注销。 "end_session_endpoint": "https://localhost:44330/connect/endsession", //客户端对check_session_iframe执行监视,可以获取用户的登出状态。 "check_session_iframe": "https://localhost:44330/connect/checksession", //这个网址允许撤销访问令牌(仅access tokens 和reference tokens)。它实现了令牌撤销规范(RFC 7009)。 "revocation_endpoint": "https://localhost:44330/connect/revocation", //introspection_endpoint是RFC 7662的实现。 它可以用于验证reference tokens(或如果消费者不支持适当的JWT或加密库,则JWTs)。 "introspection_endpoint": "https://localhost:44330/connect/introspect", "device_authorization_endpoint": "https://localhost:44330/connect/deviceauthorization", //可选。基于前端的注销机制。 "frontchannel_logout_supported": true, //可选。基于session的注销机制。 "frontchannel_logout_session_supported": true, //指示OP支持后端通道注销 "backchannel_logout_supported": true, //可选的。指定RP是否需要在注销令牌中包含sid(session ID)声明,以在使用backchannel_logout_uri时用OP标识RP会话。如果省略,默认值为false。 "backchannel_logout_session_supported": true, //支持的范围 "scopes_supported": [ "openid", "profile", "email", "address", "phone", "role", "Open", "offline_access" ], //支持的claims "claims_supported": [ "sub", "birthdate", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo", "email", "email_verified", "address", "phone_number", "phone_number_verified", "role" ], //授权类型 "grant_types_supported": [ "authorization_code", "client_credentials", "refresh_token", "implicit", "password", "urn:ietf:params:oauth:grant-type:device_code" ], "response_types_supported": [ "code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token" ], "response_modes_supported": [ "form_post", "query", "fragment" ], "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ], "id_token_signing_alg_values_supported": [ "RS256" ], "subject_types_supported": [ "public" ], "code_challenge_methods_supported": [ "plain", "S256" ], "request_parameter_supported": true }