Why no userinfo endpoint in (.well-known) auth server metadata?

Hello!

I have a client (Nokia Kong oidc plugin) which relies on the userinfo endpont being present in the .well-known metadata for the auth server.

But it’s not there! Any ideas why?

This is what I do see (with some obfuscation):

url:
https://dev-xxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxv357/.well-known/oauth-authorization-server

response:
{
“issuer”:“xxxxx”,
“authorization_endpoint”:“xxxx”,
“token_endpoint”:“xxxxx”,
“registration_endpoint”:“xxxxx”,
“jwks_uri”:“xxxxx”,
“response_types_supported”:[
“code”,
“token”,
“id_token”,
“code id_token”,
“code token”,
“id_token token”,
“code id_token token”
],
“response_modes_supported”:[
“query”,
“fragment”,
“form_post”,
“okta_post_message”
],
“grant_types_supported”:[
“authorization_code”,
“implicit”,
“refresh_token”,
“password”,
“client_credentials”
],
“subject_types_supported”:[
“public”
],
“scopes_supported”:[
“test”,
“openid”,
“profile”,
“email”,
“address”,
“phone”,
“offline_access”
],
“token_endpoint_auth_methods_supported”:[
“client_secret_basic”,
“client_secret_post”,
“client_secret_jwt”,
“private_key_jwt”,
“none”
],
“claims_supported”:[
“ver”,
“jti”,
“iss”,
“aud”,
“iat”,
“exp”,
“cid”,
“uid”,
“scp”,
“sub”
],
“code_challenge_methods_supported”:[
“S256”
],
“introspection_endpoint”:“https://dev-xxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxv357/v1/introspect”,
“introspection_endpoint_auth_methods_supported”:[
“client_secret_basic”,
“client_secret_post”,
“client_secret_jwt”,
“private_key_jwt”,
“none”
],
“revocation_endpoint”:“https://dev-xxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxv357/v1/revoke”,
“revocation_endpoint_auth_methods_supported”:[
“client_secret_basic”,
“client_secret_post”,
“client_secret_jwt”,
“private_key_jwt”,
“none”
],
“end_session_endpoint”:“https://dev-xxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxv357/v1/logout”,
“request_parameter_supported”:true,
“request_object_signing_alg_values_supported”:[
“HS256”,
“HS384”,
“HS512”,
“RS256”,
“RS384”,
“RS512”,
“ES256”,
“ES384”,
“ES512”
]
}

The path to the /userinfo endpoint is not included in the OAuth Authorization Server Metadata (though required endpoints for OAuth are present there, per https://tools.ietf.org/html/rfc8414#section-2), but, as /userinfo is a required endpoint for OpenID (see spec here: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) it is available in the OpenID Connect discovery endpoint.

To imitate your dummy url above, the path to get to this looks something like this: https://dev-xxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxv357/.well-known/openid-configuration

1 Like

That did the trick! Thank you for the super-quick response!