Provider Configuration
Deprecation Notice
There is a more recent version of this OpenId Connect API available. Learn more.
This endpoint will be removed from service on April 20th 2021.
If your app supports self-discovery using provider metadata endpoints, this is where it can find all of details of OneLogin’s OpenID Connect implementation for this connector, including supported claims, grant types, and JSON Web Key (JWK) signing and encyrption information.
You should inspect this document carefully to identify the particulars of the OneLogin implementation.
Note in particular the claims_supported and scopes_supported, which may differ from other OpenID Connect implementations.
The link to the provider configuration endpoint can also be accessed by clicking on the OpenID Provider Configuration Information link on the SSO tab for your app connection in OneLogin.
Resource URL
https://<region>.onelogin.com/oidc/.well-known/openid-configurationResource Parameter
region required integer |
Set to one of the following based on the location of your OneLogin instance.
https://openid-connect-eu.onelogin.com/oidc/.well-known/openid-configuration |
Sample Response
Here is a sample .well-known document, followed by an explanation of the primary objects provided in the document:
{
"acr_values_supported": [
"onelogin:nist:level:1:re-auth"
],
"authorization_endpoint": "https://openid-connect.onelogin.com/oidc/auth",
"claims_parameter_supported": true,
"claims_supported": [
"acr",
"auth_time",
"company",
"custom_fields",
"department",
"email",
"family_name",
"given_name",
"groups",
"iss",
"locale_code",
"name",
"phone_number",
"preferred_username",
"sub",
"title",
"updated_at"
],
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"issuer": "https://openid-connect.onelogin.com/oidc",
"jwks_uri": "https://openid-connect.onelogin.com/oidc/certs",
"request_parameter_supported": false,
"request_uri_parameter_supported": false,
"response_modes_supported": [
"form_post",
"fragment",
"query"
],
"response_types_supported": [
"code",
"id_token token",
"id_token"
],
"scopes_supported": [
"openid",
"name",
"profile",
"groups",
"email",
"phone"
],
"subject_types_supported": [
"public"
],
"token_endpoint": "https://openid-connect.onelogin.com/oidc/token",
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"userinfo_endpoint": "https://openid-connect.onelogin.com/oidc/me",
"userinfo_signing_alg_values_supported": [],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"introspection_endpoint": "https://openid-connect.onelogin.com/oidc/token/introspection",
"introspection_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"revocation_endpoint": "https://openid-connect.onelogin.com/oidc/token/revocation",
"revocation_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"claim_types_supported": [
"normal"
]
}
Response Elements
acr_values_supported |
The Authentication Context Class Reference values that are supported. If onelogin:nist:level:1:re-auth is supplied in the acr_values parameter re-authentication will be forced regardless of current session state and this value will be returned in the acr claim. |
authorization_endpoint |
The Open ID provider server endpoint where the user is asked to authenticate and grant the client app access to the user’s identity (ID token) and potentially other requested details, such as email and name (called UserInfo claims). This URL plus client ID, redirect URI, response type, etc., makes up the Request URI. We recommend that you can use the prebuilt Request URI Example provided on the SSO tab in the OneLogin app editor. |
claims_supported |
The OpenID Connect claims (user attributes that can be provided to the client app by the IdP) supported by OneLogin. |
grant_types_supported |
The OAuth 2.0 grant types supported by OneLogin. |
id_token_signing_alg_values_supported |
The signing algorithms supported for ID tokens. |
issuer |
The base URL of the OneLogin OpenID Connect server. |
jwks_uri |
The URI of the JWK Set that contains the public keys used to verify the authenticity of the JWT tokens passed between OneLogin and the client app. Note that we cycle these public keys on a quarterly basis, and we therefore do not recommend that you cache them. |
scopes_supported |
The OpenID Connect scopes (request types) supported by OneLogin. For example, the scope openID indicates a request for OpenID authentication and ID token. The scope profile indicates a request for user details, or claims. |
token_endpoint |
The token endpoint authenticates the client app, then lets it exchange the code received from the authorization endpoint for an ID token and access token. |
introspection_endpoint |
The token introspection endpoint enables the client to validate the JWT access token. |
revocation_endpoint |
The token revocation endpoint takes requests to revoke specified tokens when they are no longer needed. |
userinfo_endpoint |
The userinfo endpoint returns previously consented user profile information to the client app. |
Postman Collection
- Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.
Have a Question?
Found a problem or a bug? Submit a support ticket.
Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.
Have a product idea or request? Share it with us in our Ideas Portal.