Why no userinfo endpoint in (.well-known) auth server metadata?

Hello!

I have a client (Nokia Kong oidc plugin) which relies on the userinfo endpont being present in the .well-known metadata for the auth server.

But it’s not there! Any ideas why?

This is what I do see (with some obfuscation):

url:
https://dev-xxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxv357/.well-known/oauth-authorization-server

response:
{
“issuer”:“xxxxx”,
“authorization_endpoint”:“xxxx”,
“token_endpoint”:“xxxxx”,
“registration_endpoint”:“xxxxx”,
“jwks_uri”:“xxxxx”,
“response_types_supported”:[
“code”,
“token”,
“id_token”,
“code id_token”,
“code token”,
“id_token token”,
“code id_token token”
],
“response_modes_supported”:[
“query”,
“fragment”,
“form_post”,
“okta_post_message”
],
“grant_types_supported”:[
“authorization_code”,
“implicit”,
“refresh_token”,
“password”,
“client_credentials”
],
“subject_types_supported”:[
“public”
],
“scopes_supported”:[
“test”,
“openid”,
“profile”,
“email”,
“address”,
“phone”,
“offline_access”
],
“token_endpoint_auth_methods_supported”:[
“client_secret_basic”,
“client_secret_post”,
“client_secret_jwt”,
“private_key_jwt”,
“none”
],
“claims_supported”:[
“ver”,
“jti”,
“iss”,
“aud”,
“iat”,
“exp”,
“cid”,
“uid”,
“scp”,
“sub”
],
“code_challenge_methods_supported”:[
“S256”
],
“introspection_endpoint”:“https://dev-xxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxv357/v1/introspect”,
“introspection_endpoint_auth_methods_supported”:[
“client_secret_basic”,
“client_secret_post”,
“client_secret_jwt”,
“private_key_jwt”,
“none”
],
“revocation_endpoint”:“https://dev-xxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxv357/v1/revoke”,
“revocation_endpoint_auth_methods_supported”:[
“client_secret_basic”,
“client_secret_post”,
“client_secret_jwt”,
“private_key_jwt”,
“none”
],
“end_session_endpoint”:“https://dev-xxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxv357/v1/logout”,
“request_parameter_supported”:true,
“request_object_signing_alg_values_supported”:[
“HS256”,
“HS384”,
“HS512”,
“RS256”,
“RS384”,
“RS512”,
“ES256”,
“ES384”,
“ES512”
]
}

The path to the /userinfo endpoint is not included in the OAuth Authorization Server Metadata (though required endpoints for OAuth are present there, per RFC 8414 - OAuth 2.0 Authorization Server Metadata), but, as /userinfo is a required endpoint for OpenID (see spec here: Final: OpenID Connect Discovery 1.0 incorporating errata set 1) it is available in the OpenID Connect discovery endpoint.

To imitate your dummy url above, the path to get to this looks something like this: https://dev-xxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxv357/.well-known/openid-configuration

That did the trick! Thank you for the super-quick response!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.