See openid-connect Menu

Provider Configuration


If your app supports self-discovery using provider metadata endpoints, this is where it can find all of details of OneLogin’s OpenID Connect implementation for this connector, including supported claims, grant types, and JSON Web Key (JWK) signing and encyrption information.

You should inspect this document carefully to identify the particulars of the OneLogin implementation.

Note in particular the claims_supported and scopes_supported, which may differ from other OpenID Connect implementations.

The link to the provider configuration endpoint can also be accessed by clicking on the OpenID Provider Configuration Information link on the SSO tab for your app connection in OneLogin.

Resource URL

https://<subdomain>.onelogin.com/oidc/2/.well-known/openid-configuration

Resource Parameter

subdomain

required

string

Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is https://oidc-sample.onelogin.com

Sample Response

Here is a sample .well-known document, followed by an explanation of the primary objects provided in the document:

{
  "acr_values_supported": [
    "onelogin:nist:level:1:re-auth"
  ],
  "authorization_endpoint": "https://acme.onelogin.com/oidc/2/auth",
  "claims_parameter_supported": true,
  "claims_supported": [
    "acr",
    "auth_time",
    "company",
    "custom_fields",
    "department",
    "email",
    "family_name",
    "given_name",
    "groups",
    "iss",
    "locale_code",
    "name",
    "phone_number",
    "preferred_username",
    "sub",
    "title",
    "updated_at"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "issuer": "https://acme.onelogin.com/oidc/2",
  "jwks_uri": "https://acme.onelogin.com/oidc/2/certs",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "response_modes_supported": [
    "form_post",
    "fragment",
    "query"
  ],
  "response_types_supported": [
    "code",
    "id_token token",
    "id_token"
  ],
  "scopes_supported": [
    "openid",
    "name",
    "profile",
    "groups",
    "email",
    "phone"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://acme.onelogin.com/oidc/2/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "userinfo_endpoint": "https://acme.onelogin.com/oidc/2/me",
  "userinfo_signing_alg_values_supported": [],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ],
  "introspection_endpoint": "https://acme.onelogin.com/oidc/2/token/introspection",
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "revocation_endpoint": "https://acme.onelogin.com/oidc/2/token/revocation",
  "revocation_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "claim_types_supported": [
    "normal"
  ]
}

Response Elements

acr_values_supported The Authentication Context Class Reference values that are supported.

If onelogin:nist:level:1:re-auth is supplied in the acr_values parameter re-authentication will be forced regardless of current session state and this value will be returned in the acr claim.

authorization_endpoint The Open ID provider server endpoint where the user is asked to authenticate and grant the client app access to the user’s identity (ID token) and potentially other requested details, such as email and name (called UserInfo claims). This URL plus client ID, redirect URI, response type, etc., makes up the Request URI. We recommend that you can use the prebuilt Request URI Example provided on the SSO tab in the OneLogin app editor.
claims_supported The OpenID Connect claims (user attributes that can be provided to the client app by the IdP) supported by OneLogin.
grant_types_supported The OAuth 2.0 grant types supported by OneLogin.
id_token_signing_alg_values_supported The signing algorithms supported for ID tokens.
issuer The base URL of the OneLogin OpenID Connect server.
jwks_uri The URI of the JWK Set that contains the public keys used to verify the authenticity of the JWT tokens passed between OneLogin and the client app. Note that we cycle these public keys on a quarterly basis, and we therefore do not recommend that you cache them.
scopes_supported The OpenID Connect scopes (request types) supported by OneLogin. For example, the scope openID indicates a request for OpenID authentication and ID token. The scope profile indicates a request for user details, or claims.
token_endpoint The token endpoint authenticates the client app, then lets it exchange the code received from the authorization endpoint for an ID token and access token.
introspection_endpoint The token introspection endpoint enables the client to validate the JWT access token.
revocation_endpoint The token revocation endpoint takes requests to revoke specified tokens when they are no longer needed.
userinfo_endpoint The userinfo endpoint returns previously consented user profile information to the client app.

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Download for the OpenId Connect API


Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.