OpenID Configuration¶

The OpenID Configuration endpoint provides discovery metadata for the DIP OpenID Provider, following the OpenID Connect Discovery 1.0 specification.

Endpoint¶

GET /.well-known/openid-configuration

Response¶

The endpoint returns a JSON object containing the OpenID Provider metadata.

Response Headers¶

Header	Value
`Content-Type`	`application/json`
`Cache-Control`	`public, max-age=86400`

Response Body¶

{
  "issuer": "https://{dip-base-url}",
  "authorization_endpoint": "https://{dip-base-url}/authorize",
  "token_endpoint": "https://{dip-base-url}/token",
  "jwks_uri": "https://{dip-base-url}/jwks",
  "pushed_authorization_request_endpoint": "https://{dip-base-url}/par",
  "scopes_supported": ["openid"],
  "response_types_supported": ["code"],
  "subject_types_supported": ["pairwise"],
  "id_token_signing_alg_values_supported": ["ES256"],
  "id_token_encryption_alg_values_supported": ["RSA-OAEP-256"],
  "id_token_encryption_enc_values_supported": ["A256GCM"],
  "claims_supported": [
    "sub",
    "iss",
    "aud",
    "iat",
    "exp",
    "auth_time",
    "nonce",
    "acr",
    "amr",
    "azp",
    "verified_claims"
  ],
  "acr_values_supported": ["urn:bankid:idcheck"],
  "token_endpoint_auth_methods_supported": ["private_key_jwt"],
  "require_pushed_authorization_requests": true,
  "require_signed_request_object": true,
  "request_parameter_supported": true,
  "request_uri_parameter_supported": false,
  "claims_parameter_supported": true,
  "claim_types_supported": ["normal"],
  "verified_claims_supported": true,
  "trust_frameworks_supported": ["stoe", "stoe_etsi"],
  "evidence_supported": ["document", "electronic_record"],
  "electronic_records_supported": ["population_register"],
  "claims_in_verified_claims_supported": [
    "name",
    "given_name",
    "family_name",
    "picture",
    "gender",
    "birthdate",
    "nationalities"
  ],
  "documents_supported": ["idcard", "passport"],
  "documents_check_methods_supported": ["bvr"]
}

Configuration Fields¶

Core Endpoints¶

Field	Description
`issuer`	The OpenID Provider's issuer identifier. This value is used in ID token validation.
`authorization_endpoint`	URL for initiating user authentication (not used directly - use PAR flow).
`token_endpoint`	URL for exchanging authorization codes for tokens.
`jwks_uri`	URL for retrieving the provider's public keys for signature verification.
`pushed_authorization_request_endpoint`	URL for the PAR endpoint (RFC 9126).

Supported Features¶

Field	Description
`scopes_supported`	Supported OAuth 2.0 scopes. DIP supports `openid`.
`response_types_supported`	Supported response types. DIP uses the authorization code flow (`code`).
`subject_types_supported`	Subject identifier types. DIP uses `pairwise` subjects.
`acr_values_supported`	Supported Authentication Context Class References.

Token Configuration¶

Field	Description
`id_token_signing_alg_values_supported`	Algorithms for signing ID tokens. DIP uses `ES256`.
`id_token_encryption_alg_values_supported`	Key encryption algorithms. DIP uses `RSA-OAEP-256`.
`id_token_encryption_enc_values_supported`	Content encryption algorithms. DIP uses `A256GCM`.

Claims¶

Field	Description
`claims_supported`	Claims that can be returned in ID tokens.
`claim_types_supported`	Types of claim delivery supported. DIP uses `normal` (claims returned directly in the token).
`claims_parameter_supported`	Whether the `claims` parameter is supported in requests.

Authentication¶

Field	Description
`token_endpoint_auth_methods_supported`	Supported client authentication methods. DIP requires `private_key_jwt`.

Request Handling¶

Field	Description
`require_pushed_authorization_requests`	Whether PAR is required. DIP requires PAR (`true`).
`require_signed_request_object`	Whether request objects must be signed. DIP requires signed request objects (`true`).
`request_parameter_supported`	Whether JWT request objects are supported.
`request_uri_parameter_supported`	Whether request URIs from PAR are supported. Set to `false`.

Identity Assurance (OIDC4IDA)¶

Field	Description
`verified_claims_supported`	Whether verified claims (OIDC4IDA) are supported.
`trust_frameworks_supported`	Supported trust frameworks for identity verification.
`evidence_supported`	Supported evidence types (`document`, `electronic_record`).
`electronic_records_supported`	Supported electronic record types (`population_register`).
`claims_in_verified_claims_supported`	Claims available within `verified_claims` (e.g. `name`, `given_name`, `family_name`, `birthdate`).
`documents_supported`	Supported identity document types (`idcard`, `passport`).
`documents_check_methods_supported`	Supported document verification methods (`bvr`).

Notes¶

PAR is required - direct authorization endpoint calls are not supported
ID tokens are always encrypted (JWE containing signed JWT)
Client authentication must use private_key_jwt with supported algorithms (ES256, PS256, EdDSA)
DIP supports OpenID Connect for Identity Assurance (OIDC4IDA) for verified identity claims