Skip to content

OpenID Configuration JSON

OpenID configuration may be specified as JSON either in the application's appsettings.json or in a separate JSON file (e.g. openid-config.json).

The following example shows a OpenID section containing the outline of a configuration.

{
  "OpenIDProvider": {
    "Configurations": [
    ]
  }
}

The following code adds the OpenID services and specifies the name of the OpenID configuration section.

// Add OpenID services.
builder.Services.AddOpenIDProvider(
    builder.Configuration.GetSection("OpenIDProvider"));

Example Configuration

The following example configures an OpenID Provider and a single client.

"OpenIDProvider": {
  "$schema": "https://www.componentspace.com/schemas/openid-config-schema-v1.0.json",
  "Configurations": [
    {
      "ProviderConfiguration": {
        "ProviderMetadata": {
          "Issuer": "https://localhost:44311",
          "AuthorizationEndpoint": "/openid/authorize",
          "TokenEndpoint": "/openid/token",
          "UserinfoEndpoint": "/openid/userinfo",
          "JwksUri": "/openid/keys",
          "EndSessionEndpoint": "/openid/logout",
          "IntrospectionEndpoint": "/openid/introspect",
          "ScopesSupported": [ "openid", "profile" ],
          "ResponseTypesSupported": [ "code", "id_token", "id_token token", "code id_token", "code token", "code id_token token" ],
          "ResponseModesSupported": [ "query", "fragment", "form_post" ],
          "GrantTypesSupported": [ "authorization_code", "implicit", "refresh_token", "client_credentials", "password" ],
          "SubjectTypesSupported": [ "public" ],
          "IdTokenSigningAlgValuesSupported": [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" ],
          "IdTokenEncryptionAlgValuesSupported": [ "A128KW", "A192KW", "A256KW", "dir", "RSA1_5", "RSA-OAEP" ],
          "IdTokenEncryptionEncValuesSupported": [ "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ],
          "UserinfoSigningAlgValuesSupported": [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" ],
          "UserinfoEncryptionAlgValuesSupported": [ "A128KW", "A192KW", "A256KW", "dir", "RSA1_5", "RSA-OAEP" ],
          "UserinfoEncryptionEncValuesSupported": [ "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ],
          "RequestObjectSigningAlgValuesSupported": [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" ],
          "RequestObjectEncryptionAlgValuesSupported": [ "A128KW", "A192KW", "A256KW", "dir", "RSA1_5", "RSA-OAEP" ],
          "RequestObjectEncryptionEncValuesSupported": [ "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ],
          "TokenEndpointAuthMethodsSupported": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" ],
          "TokenEndpointAuthSigningAlgValuesSupported": [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" ],
          "IntrospectionEndpointAuthMethodsSupported": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" ],
          "IntrospectionEndpointAuthSigningAlgValuesSupported": [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" ],
          "DisplayValuesSupported": [ "page", "popup", "touch", "wap" ],
          "ClaimsSupported": [ "amr", "aud", "email", "exp", "family_name", "given_name", "iat", "idp", "iss", "jti", "middle_name", "name", "nbf", "nonce", "preferred_username", "sub", "ver" ],
          "CodeChallengeMethodsSupported": [ "plain", "S256" ],
          "ClaimsParameterSupported": true,
          "RequestParameterSupported": true,
          "RequestUriParameterSupported": true
        },
        "ProviderCertificates": [
          {
            "FileName": "certificates/op.pfx",
            "Password": "password"
          }
        ]
      },

      "ClientConfigurations": [
        {
          "Description": "Example OpenID Client",
          "ClientID": "wLpJpHADUqEmmAltrZX87yUMz8lgweWs",
          "ClientSecret": "P41HXh7SptRM6rV4xjgdVmUkXssibunr",
          "RedirectUris": [
            "https://localhost:44389/signin-oidc"
          ],
          "PostLogoutRedirectUris": [
            "https://localhost:44389/signout-callback-oidc"
          ],
          "ClientCertificates": [
            {
              "FileName": "certificates/client.cer"
            }
          ]
        }
      ]
    }
  ]
},

JSON Schema

The JSON schema may be used to enable Visual Studio IntelliSense when editing OpenID configuration.

The following example specifies the schema associated with the OpenIDProvider configuration.

{
  "OpenIDProvider": {
    "$schema": "https://www.componentspace.com/schemas/saml-config-schema-v1.0.json",
    "Configurations": [
    ]
  }
}

Note

Schema validation of the OpenID configuration is not performed at runtime. Configuration errors will be detected when the configuration is loaded or used.