OpenID Connect Issuer Discovery

The Curity Token Service supports OpenID Connect Issuer Discovery, as defined by OpenID Connect Discovery 1.0 and by RFC 7033.

Issuer discovery is enabled per service role. A discovery WebFinger request hitting a node from a service role with enabled issuer discovery will only consider the token profiles with at least one endpoint active on the that service role. If a token profile doesn’t have any active endpoint on the service role, then that token profile is ignored in the issuer search.

Issuer discovery is made by comparing the queried resource host name with the issuer’s URI host names for the considered token service profiles. If more than one issuer URI share the same host name (e.g. https://example.org/issuer0 and https://example.org/issuer1) then a discovery query using that host name (e.g. acct:alice@example.org) will result in an error response, with a 500 status code. To avoid this situation, make sure token service issuers have different host names when discovery is enabled.