The specification describes two options for creating the URL from which the Entity Configuration is retrieved. Using the Entity Identifier https://multi-tenant-service.example.com/my-tenant-identifier as an example, these are:
Insert /.well-known/openid-federation between the host and the path of the Entity Identifier, resulting in https://multi-tenant-service.example.com/.well-known/openid-federation/my-tenant-identifier. This parallels the .well-known treatment at https://www.rfc-editor.org/rfc/rfc8414.html#section-3.
Concatenate /.well-known/openid-federation to the Entity Identifier, resulting in https://multi-tenant-service.example.com/my-tenant-identifier/.well-known/openid-federation. This parallels the .well-known treatment in https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig.
The specification describes two options for creating the URL from which the Entity Configuration is retrieved. Using the Entity Identifier
https://multi-tenant-service.example.com/my-tenant-identifier
as an example, these are:/.well-known/openid-federation
between the host and the path of the Entity Identifier, resulting inhttps://multi-tenant-service.example.com/.well-known/openid-federation/my-tenant-identifier
. This parallels the .well-known treatment at https://www.rfc-editor.org/rfc/rfc8414.html#section-3./.well-known/openid-federation
to the Entity Identifier, resulting inhttps://multi-tenant-service.example.com/my-tenant-identifier/.well-known/openid-federation
. This parallels the .well-known treatment in https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig.As the spec says:
Pragmatically, deployability and interoperability and will be increased by selecting the OpenID Connect treatment over the OAuth treatment.