OpenID Connect Endpoints and Their Requests
| Category | Endpoint | Request | Description |
|---|---|---|---|
| Authentication | Authorization | (Redirect) /authorize | Starting the authentication flow |
| Authentication | Token | (POST) /token | Retieving access, refresh, and ID tokens |
| Profile | UserInfo | (GET, POST) /userinfo | Retrieving user information (claims) |
| Validation | Keys | (GET) /.well-known/jwks.json1 | Retrieving public keys used for validating tokens |
| Validation | Introspection | (POST) /introspect | Validating (opaque) tokens |
| Validation | Check Session Iframe | (iframe) /check_session1 | Validating user session |
| Termination | Revocation | (POST) /revoke | Revoking tokens |
| Termination | Logout Endpoint | (Redirect) /end_session1 | End user session |
| Termination | Back-channel Logout | (POST) /backchannel_logout | End user session |
| Configuration | Discovery | (GET) /.well-known/openid-configuration | Retrieving IDP endpoints and capabilities |
| Configuration | Dynamic Client Registration | (POST) /register | Register client application |
Authorization Endpoint
OpenID Connect Core 1.0 - Authorization Endpoint (openid.net)
The Authorization Endpoint /authorize is the starting point of the OIDC authentication flow.
The client application (Relying Party) redirects the user's browser to this endpoint at the OpenID Provider to authenticate the user and obtain their consent.
Authentication Request
The client application redirects the user to the /authorize to this endpoint with an Authentication Request that sends all required information as URL parameters.
GET /authorize? HTTP/1.1
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Faboutauth.org%2Fclient%2Fcb
&scope=openid%20profile%20email
&nonce=n-0S6_WzA2Mj
&state=af0ifjsldkj
Host: idp.aboutauth.com
Line breaks for demonstration purposes
Token Endpoint
OpenID Connect Core 1.0 - Token Endpoint (openid.net)
The Token Endpoint /token is used by the client application to exchange a grant (like an authorization code or a refresh token) for an Access Token, ID Token, and/or Refresh Token. This interaction happens on the back-channel, away from the user's browser, allowing the client to authenticate securely.
You can call the token endpoint with a Token Request during an authentication flow, or the Refresh Token Request when you have a refresh token and want to receive a new access token without re-authenticating.
Token Request
After receiving an authorization code, the client sends a Token Request to the Token Endpoint to obtain the tokens.
The Token Request is an authorized POST request to the Token Endpoint.
POST /token HTTP/1.1
Host: idp.aboutauth.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Faboutauth.org%2Fclient%2Fcb
Line breaks for demonstration purposes
Refresh Token Request
OpenID Connect Core 1.0 - Refreshing Access Tokens (openid.net)
When an Access Token expires, the client can use a Refresh Token Request to obtain a new Access Token without requiring the user to log in again.
The Refresh Token Request is an authorized POST request to the Token Endpoint with grant_type=refresh_token and including the refresh token, received during authentication from the token endpoint.
POST /token HTTP/1.1
Host: idp.aboutauth.com
Content-Type: application/x-www-form-urlencoded
client_id=s6BhdRkqt3
&client_secret=some_secret12345
&grant_type=refresh_token
&refresh_token=8xLOxBtZp8
&scope=openid%20profile
Line breaks for demonstration purposes
UserInfo Endpoint
OpenID Connect Core 1.0 - UserInfo Endpoint (openid.net)
The UserInfo Endpoint is a protected resource where a client can retrieve claims about the authenticated user. To access this endpoint, the client must present the Access Token it received from the Token Endpoint, in a UserInfo Request. The claims are returned as a JSON object.
A critical security step is to verify that the sub (subject) claim in the UserInfo response matches the sub from the ID Token to prevent token substitution attacks.
UserInfo Request
The client makes an authenticated GET or POST UserInfo Request to the UserInfo Endpoint, including the user's Access Token in the Authorization header.
POST /userinfo HTTP/1.1
Host: idp.aboutauth.com
Authorization: Bearer SlAV32hkKG
Keys Endpoint
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata (openid.net)
OpenID Connect Discovery 1.0 - Provider Metadata (openid.net)
The Keys Endpoint (often exposed via the jwks_uri in the discovery document) publishes the provider's public keys as a JSON Web Key Set (JWKS).
Client applications use these keys to validate the signature of ID Tokens, ensuring they are authentic and were issued by the correct provider.
Introspection Endpoint
OAuth 2.0 Token Introspection - RFC 7662 (datatracker.ietf.org)
The Introspection Endpoint allows a client or resource server to check the validity of a token.
Introspection Request
The client makes an authenticated POST request with the token, and the server responds with its status (e.g., whether it's active) and other metadata.
POST /introspect HTTP/1.1
Host: idp.aboutauth.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer 23410913-abewfq.123483
token=2YotnFZFEjr1zCsicMWpAA
Check Session Iframe Endpoint
OpenID Connect Session Management 1.0 (openid.net)
The Check Session Iframe Endpoint helps a client monitor the user's login status at the provider without a full page redirect.
The client loads this endpoint in a hidden iframe and uses postMessage to poll whether the user's session is still active.
Revocation Endpoint
OAuth 2.0 Token Revocation - RFC 7009 (datatracker.ietf.org)
The Revocation Endpoint allows a client to invalidate a token (like an access or refresh token) before it expires. This is crucial for scenarios like user logout.
Note: Sessions can be terminated server side, but clients might still receive a token. It is crucial that the client validates the token, e.g. via Introspection Endpoint or UserInfo Endpoint with a risk-based approach, i.e. on each request or every few minutes. Opaque / Bearer tokens instead of JWT tokens are an additional security measure.
Token Revocation Request
The client sends an authenticated POST request containing the token to be revoked.
POST /revoke HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
token=45ghiukldjahdnhzdauz
Logout Endpoint
OpenID Connect RP-Initiated Logout 1.0 (openid.net)
The Logout Endpoint is used to log the user out of their session at the OpenID Provider and is the target of RP-Initiated Logout requests.
RP-Initiated Logout Request
The client redirects the user's browser to this endpoint, often including an id_token_hint to identify the session and a post_logout_redirect_uri to return the user to the application afterward.
GET /end_session? HTTP/1.1
id_token_hint=45ghiukldjahdnhzdauz
Host: idp.aboutauth.com
Line breaks for demonstration purposes
Back-Channel Logout
OpenID Connect Back-Channel Logout 1.0 (openid.net)
Backchannel logout provides a mechanism that uses direct back-channel communication between the IDP (OP) and clients (RP) being logged out and differs from front-channel logout mechanisms, which communicate logout requests from the OP to RPs via the browser (User Agent).
Back-Channel Logout Request
The back-channel logout request is a POST request to the back-channel logout endpoint, including the Logout Token from the OP for the RP identifying the End-User to be logged out.
POST /backchannel_logout HTTP/1.1
Host: idp.aboutauth.com
Content-Type: application/x-www-form-urlencoded
token=45ghiukldjahdnhzdauz
POST /backchannel_logout HTTP/1.1 Host: rp.example.org Content-Type: application/x-www-form-urlencoded
logout_token=eyJhbGci ... .eyJpc3Mi ... .T3BlbklE ...
Discovery Endpoint
OpenID Connect Discovery 1.0 (openid.net)
The Discovery Endpoint provides a machine-readable JSON document containing the provider's configuration, including the URLs of all other endpoints and its supported capabilities. This allows for automatic client configuration.
Dynamic Client Registration Endpoint
OpenID Connect Dynamic Client Registration 1.0 (openid.net). OAuth 2.0 Dynamic Client Registration Protocol (datatracker.ietf.org)
This endpoint allows client applications to register with an OpenID Provider programmatically.
Instead of manual setup, a client can send a POST request with its metadata (e.g., application name, redirect URIs) to dynamically receive a client_id and other configuration details.