I have a tenant with configuration as /oauth2/default/.well-known/oauth-authorization-server. But it does not contain a userinfo_endpoint . Is there a way to enable the same as it would be available in openid configuration? Or is there a corresponding end point available which can give similar information response?
check {{authZ}}/.well-known/openid-configuration
1 Like
Thanks for the response. My configuration looks like below which doesn’t contain userinfo_endpoint and the configuration end point is hosted as - https://company.com/oauth2/default/.well-known/oauth-authorization-server
{"issuer":"https://company.com/oauth2/default","authorization_endpoint":"https://company.com/oauth2/default/v1/authorize","token_endpoint":"https://company.com/oauth2/default/v1/token","registration_endpoint":"https://company.com/oauth2/v1/clients","jwks_uri":"https://company.com/oauth2/default/v1/keys","response_types_supported":["code","token","id_token","code id_token","code token","id_token token","code id_token token"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code"],"subject_types_supported":["public"],"scopes_supported":["AD-Groups","CAF_AssociateSSO","myCustom","myHalo_AssociateSSO","NGDigitalImaging","okta.myAccount.appAuthenticator.maintenance.manage","okta.myAccount.appAuthenticator.maintenance.read","okta.myAccount.appAuthenticator.manage","okta.myAccount.appAuthenticator.read","okta.myAccount.email.manage","okta.myAccount.email.read","okta.myAccount.manage","okta.myAccount.phone.manage","okta.myAccount.phone.read","okta.myAccount.profile.manage","okta.myAccount.profile.read","okta.myAccount.read","PDFConvert","Savvy_AssociateSSO","openid","profile","email","address","phone","offline_access","device_sso"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["ver","jti","iss","aud","iat","exp","cid","uid","scp","sub"],"code_challenge_methods_supported":["S256"],"introspection_endpoint":"https://company.com/oauth2/default/v1/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"revocation_endpoint":"https://company.com/oauth2/default/v1/revoke","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"end_session_endpoint":"https://company.com/oauth2/default/v1/logout","request_parameter_supported":true,"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"device_authorization_endpoint":"https://company.com/oauth2/default/v1/device/authorize","pushed_authorization_request_endpoint":"https://company.com/oauth2/default/v1/par"}
If you could please figure, how to get the user info off this.
Thanks.
What I’m saying - you need to check a different endpoint, the one which I shared in the previous post. The one you are checking does not have userinfo b/c it’s an OIDC endpoint and you are checking just generic OAuth metadata
1 Like
Like @phi1ipp says, the /.well-known/oauth-authorization-server discovery endpoint is not designed to return information about OpenID Connect specific endpoints, like Userinfo, where OpenID Connect is a spec built on top of OAuth.
Information returned by the OAuth discovery endpoint is defined in the OAuth spec here: RFC 8414 - OAuth 2.0 Authorization Server Metadata