Configuration Reference

OpenID Connect Discovery

Oten IDP provides OpenID Connect Discovery endpoints that automatically provide all configuration information your application needs. This is the recommended way to get configuration details.

Discovery Endpoints

Production Environment

Discovery URL: https://account.oten.com/.well-known/openid-configuration

Sandbox Environment

Discovery URL: https://account.sbx.oten.dev/.well-known/openid-configuration

How to Use Discovery

Instead of hardcoding endpoints, fetch configuration dynamically:

// Fetch configuration automatically
async function getOIDCConfiguration(environment = 'production') {
  const discoveryUrl = environment === 'production'
    ? 'https://account.oten.com/.well-known/openid-configuration'
    : 'https://account.sbx.oten.dev/.well-known/openid-configuration';

  const response = await fetch(discoveryUrl);
  const config = await response.json();

  return {
    issuer: config.issuer,
    authorizationEndpoint: config.authorization_endpoint,
    tokenEndpoint: config.token_endpoint,
    jwksUri: config.jwks_uri,
    supportedScopes: config.scopes_supported,
    supportedResponseTypes: config.response_types_supported,
    supportedGrantTypes: config.grant_types_supported,
    supportedCodeChallengeMethods: config.code_challenge_methods_supported,
    supportedTokenAuthMethods: config.token_endpoint_auth_methods_supported,
    supportedClaims: config.claims_supported,
    supportedIdTokenSigningAlgs: config.id_token_signing_alg_values_supported
  };
}

// Usage example
const config = await getOIDCConfiguration('development');
console.log('Authorization Endpoint:', config.authorizationEndpoint);
console.log('Token Endpoint:', config.tokenEndpoint);
console.log('Supported Scopes:', config.supportedScopes);

🔧 Configuration Response Format

The discovery endpoint returns a JSON object with the following structure:

Configuration Parameters Explained

🌐 Manual Endpoint Configuration

If you prefer to configure endpoints manually (not recommended), here are the static endpoints:

Production Environment

Sandbox Environment

🛠️ Library-Specific Configuration Examples

Node.js with Passport.js

Python with Authlib

Java with Spring Security

React SPA with OIDC Client

.NET Core

🔄 Dynamic Configuration Loading

Environment-Aware Configuration

Official Contact Information

Support Channels

• Technical Support: [email protected]

Developer Resources

• Developer Portal: https://developer.oten.com (Coming Soon)

• API Documentation: https://docs.oten.com (Coming Soon)

• Status Page: https://status.oten.com (Coming Soon)

Rate Limits

Production Limits

• Authorization endpoint: 10 requests/minute per IP

• Token endpoint: 60 requests/minute per client

• Validation endpoint: 1000 requests/minute per client

• User Info endpoint: 100 requests/minute per token

Development Limits

• Authorization endpoint: 20 requests/minute per IP

• Token endpoint: 120 requests/minute per client

• Validation endpoint: 2000 requests/minute per client

• User Info endpoint: 200 requests/minute per token

🔐 Supported Algorithms and Methods

JAR Signing Algorithms

• HS256: HMAC with SHA-256 (uses client_secret)

• EdDSA: Edwards-curve Digital Signature with Ed25519

Token Signing Algorithms

• EdDSA: Edwards-curve Digital Signature (for ID tokens and access tokens)

PKCE Code Challenge Methods

• S256: SHA256 hash of code verifier (recommended)

• plain: Plain text code verifier (not recommended for production)

Client Authentication Methods

• client_secret_post: Client credentials in request body (default)

Supported Response Types

• code: Authorization code flow (only supported type)

Supported Grant Types

• authorization_code: Standard OAuth 2.0 authorization code flow

• refresh_token: Token refresh using refresh tokens

Supported Scopes and Claims

Available Scopes

Based on the discovery endpoint, Oten IDP currently supports:

• openid: Required for OpenID Connect flow - enables ID token issuance

• profile: Access to basic profile information (name, etc.)

• email: Access to user's email address

Available Claims

The following claims are available in ID tokens and UserInfo endpoint:

• sub: Subject identifier - unique user ID

• name: User's full name

• email: User's email address

Scope-to-Claims Mapping

Example Scope Requests

Future Scopes (Coming Soon)

Additional scopes may be added in future releases:

• phone: Phone number access

• offline_access: Refresh token capability

• workspace: Workspace information access

Testing and Validation

Validate Discovery Endpoint

Validate JWKS Endpoint

Configuration Validation Script

Health Check Script

Error Codes Reference

Complete Reference: See Error Codes Reference for comprehensive error documentation with troubleshooting guides.

Quick Error Reference

Most Common Errors:

Error Response Formats

Authorization Endpoint:

Token Endpoint:

Error Handling Guidelines

• Always validate state parameter in authorization callbacks

• Implement retry logic for server_error and temporarily_unavailable

• Don't retry for invalid_grant, invalid_client, or configuration errors

• Log detailed errors server-side for debugging

• Provide user-friendly messages based on error codes

Security-Enhanced Error Handling

JAR (JWT-Secured Authorization Request) Requirements:

• Either request OR request_uri parameter is REQUIRED

• Cannot provide both request and request_uri parameters simultaneously

• Missing request parameter results in invalid_request with message "Request parameter is required"

IP Address Validation (Client Credentials Grant):

• IP address validation is enforced when whitelist is configured

• Requests from non-whitelisted IPs receive invalid_client error

• Missing IP address triggers security warnings

Client Type Enforcement:

• Client credentials grant restricted to confidential clients only

• Public clients receive unauthorized_client error

• Client type validation occurs before credential verification

Related Documentation

• Error Codes Reference: Complete error documentation

• Common Errors: Step-by-step troubleshooting

• OAuth Error Handling: Implementation examples

Security Requirements

Mandatory Security Features

• PKCE: Required for all public clients, recommended for confidential clients

• JAR: Required for confidential clients only, forbidden for public clients

• HTTPS: Required for all endpoints (except localhost in development)

• State Parameter: Required to prevent CSRF attacks

Token Lifetimes

• Authorization Code: 10 minutes

• Access Token: 1 hour (configurable)

• Refresh Token: 30 days (configurable)

• ID Token: 1 hour

• JAR Token: 5 minutes maximum

Client Registration Requirements

Required Information

• Application name

• Application type (Web App, SPA, Mobile App, Server-to-Server)

• Redirect URIs (must be HTTPS except localhost)

• Required scopes

• JAR signing method (HS256 or EdDSA)

Optional Information

• Application description

• Application logo URL

• Terms of service URL

• Privacy policy URL

• JWKS URI (for EdDSA)