OIDC Discovery support?

[mikebryant]

Instead of setting all the URLs individually, can we use OIDC discovery?

e.g. specify server url and then use /.well-known/openid-configuration

[mikebryant]

https://openid.net/specs/openid-connect-discovery-1_0.html

[bnfinet]

Seems like a good idea. There's certainly broad support...

• auth0 [1] https://YOUR_AUTH0_DOMAIN/.well-known/openid-configuration
• keycloak [2] /auth/realms/{realm-name}/.well-known/openid-configuration
• okta [3] https://{yourOktaDomain}/oauth2/${authServerId}/.well-known/openid-configuration
• https://accounts.google.com/.well-known/openid-configuration
• https://login.salesforce.com/.well-known/openid-configuration

though not Github of Github Enterprise
https://stackoverflow.com/questions/52157568/what-is-github-well-known-openid-configuration-url

I'd probably use the coreos/go-oidc library which assumes /.well-known/openid-configuration [4]

Is that a safe assumption? Even though its part of the spec would you want to override it? I suppose if you're overriding the spec you're fine with setting the endpoints manually.

[1] https://auth0.com/docs/protocols/oidc/openid-connect-discovery
[2] https://www.keycloak.org/docs/3.3/server_admin/topics/identity-broker/oidc.html
[3] https://developer.okta.com/docs/api/resources/oidc#well-knownopenid-configuration
[4] https://github.com/coreos/go-oidc/blob/8ae1da518bd4d9d5a5909090a184af30f336436d/oidc.go#L92-L97

[big-kahuna-burger]

It's not overriding the spec.
Its just using 1 endpoint to get what is configured with 3 values in config instead. Less error prone.

[rhansen]

Also: https://gitlab.com/.well-known/openid-configuration
(documentation)