OpenID Connect Discovery

[byewokko]

Summary

• Default OIDC Issuer name set to the value of PUBLIC_AUTH_API.
• OIDC/OAuth discovery endpoint available at <PUBLIC_AUTH_API>/.well-known/openid-configuration.
• JWKS (public keys) now also available at <PUBLIC_AUTH_API>/.well-known/jwks.json.
• Added token revocation endpoint.
• Removed refresh token endpoint.
• Updated example NGINX config accordingly.

OIDC Discovery endpoint

• Returns Authorization server metadata as defined in RFC8414 (OAuth 2.0 Authorization Server Metadata) and OpenID Connect Discovery 1.0.

Example response:

{
    "issuer": "https://auth.local.loc/seacat-auth/api",
    "authorization_endpoint": "https://auth.local.loc/seacat-auth/api/openidconnect/authorize",
    "token_endpoint": "https://auth.local.loc/seacat-auth/api/openidconnect/token",
    "token_endpoint_auth_signing_alg_values_supported": [
        "ES256"
    ],
    "jwks_uri": "https://auth.local.loc/seacat-auth/api/openidconnect/public_keys",
    "response_types_supported": [
        "code"
    ],
    "subject_types_supported": [
        "public"
    ],
    "userinfo_endpoint": "https://auth.local.loc/seacat-auth/api/openidconnect/userinfo",
    "scopes_supported": [
        "openid",
        "profile",
        "email",
        "phone",
        "cookie",
        "batman",
        "anonymous",
        "impersonate:",
        "tenant:"
    ],
    "claims_supported": [
        "sub",
        "iss",
        "exp",
        "iat",
        "aud",
        "azp",
        "preferred_username",
        "email",
        "phone_number",
        "sid",
        "psid",
        "track_id",
        "resources",
        "tenants",
        "impersonator_sid",
        "impersonator_cid",
        "anonymous"
    ],
    "end_session_endpoint": "https://auth.local.loc/seacat-auth/api/openidconnect/logout",
    "revocation_endpoint": "https://auth.local.loc/seacat-auth/api/openidconnect/token/revoke",
    "grant_types_supported": [
        "authorization_code"
    ],
    "token_endpoint_auth_methods_supported": [
        "none"
    ],
    "prompt_values_supported": [
        "none",
        "login",
        "select_account"
    ],
    "claim_types_supported": [
        "normal"
    ],
    "service_documentation": "https://docs.teskalabs.com/seacat-auth",
    "ui_locales_supported": [
        "en-US",
        "cs-CZ"
    ],
    "code_challenge_methods_supported": [
        "plain",
        "S256"
    ],
    "nginx_introspection_endpoint": "https://auth.local.loc/seacat-auth/api/openidconnect/introspect/nginx"
}