What is OAuth 2.0 Authorization Server Metadata?
OAuth 2.0 Authorization Server Metadata is a standardized format defined in RFC 8414 that enables OAuth 2.0 clients to automatically discover and obtain information needed to interact with OAuth 2.0 authorization servers.
This includes essential information such as endpoint locations, supported features, and server capabilities.
The metadata format provides a machine-readable configuration document that helps streamline the integration process between clients and authorization servers, reducing the need for manual configuration.
How does OAuth 2.0 Authorization Server Metadata work?
In the OAuth 2.0 ecosystem, there are several key roles:
- Authorization server : Issues access tokens to clients after successfully authenticating the resource owner
- Client : Application requesting access to protected resources
- Resource owner : Entity capable of granting access to protected resources
- Resource server : Server hosting protected resources
The Authorization Server Metadata provides a standardized way for clients to discover and understand how to interact with the authorization server. Here’s how it works:
- The client knows or discovers the authorization server’s issuer URL
- The client constructs the metadata URL by appending
/.well-known/oauth-authorization-server
to the issuer URL - The client retrieves the metadata document containing server configuration
- The client uses the retrieved metadata (endpoints, supported features, etc.) to properly configure itself and interact with the authorization server
For example, if the issuer URL is https://auth.example.com
, the metadata would be available at:
https://auth.example.com/.well-known/oauth-authorization-server
The metadata document includes important information such as:
issuer
: The authorization server’s identifierauthorization_endpoint
: The authorization endpoint URLtoken_endpoint
: The token endpoint URLscopes_supported
: Available scopesresponse_types_supported
: Supported response typestoken_endpoint_auth_methods_supported
: Supported client authentication methods
For a complete list of metadata fields, please refer to RFC 8414 Section 2 .
With these metadata values, clients can automatically configure and execute the OAuth 2.0 flow:
-
Initial setup:
- Client validates the
issuer
matches the expected authorization server - Client checks
response_types_supported
to ensure its flow type (e.g.,code
) is supported
- Client validates the
-
Authorization request:
- Client uses
authorization_endpoint
to construct the authorization URL - Client selects appropriate scopes from
scopes_supported
based on its needs - Example:
https://auth.example.com/authorize?response_type=code&scope=profile email
- Client uses
-
Token exchange:
- After receiving the authorization code, client uses
token_endpoint
for token exchange - Client checks
token_endpoint_auth_methods_supported
to determine how to authenticate (e.g.,client_secret_basic
) - Example: Send POST request to token endpoint with client credentials and authorization code
- After receiving the authorization code, client uses
This basic flow helps clients automatically configure themselves and interact with the authorization server without manual endpoint configuration or trial-and-error scope selection.
What is the difference between OAuth 2.0 Authorization Server Metadata and OpenID Connect Discovery?
The main differences are:
-
Scope and Purpose:
- OAuth 2.0 Authorization Server Metadata focuses specifically on OAuth 2.0 protocol configuration
- OpenID Connect (OIDC) Discovery includes additional parameters for identity-related features, such as:
userinfo_endpoint
: Endpoint for retrieving user informationid_token_signing_alg_values_supported
: Supported signing algorithms for ID Tokensclaims_supported
: Available user claims that can be returned in ID Token or from UserInfo Endpoint- Supports
openid
scope for authentication - Includes hybrid flow response types (e.g.,
code id_token
,code id_token token
)
-
Metadata Endpoint:
- OAuth 2.0 uses
/.well-known/oauth-authorization-server
- OpenID Connect uses
/.well-known/openid-configuration
- OAuth 2.0 uses
Does OAuth 2.0 Authorization Server Metadata comply with OpenID Connect Discovery?
Yes, OAuth 2.0 Authorization Server Metadata is compatible with OpenID Connect (OIDC) Discovery .
The OAuth 2.0 metadata specification (RFC 8414) was inspired by OpenID Connect Discovery 1.0, which was already widely adopted in practice.
Key points about compliance:
- The metadata format follows the same JSON structure
- Authorization servers can support both endpoints simultaneously
- OpenID Providers typically expose both endpoints for backward compatibility
- The OAuth 2.0 metadata can be extended with OpenID Connect-specific fields when needed
This compatibility ensures that authorization servers can serve both pure OAuth 2.0 clients and OpenID Connect relying parties without conflicts.