Support for fidm.oidc.op.getMetadata

[renzosunico]

What does it do?

It's an endpoint that allows OP to pull the OP metadata which contains different endpoints such as authorize endpoint, token endpoint, userinfo endpoint, introspect endpoint and most importantly the JSON web keys.

Why do we need it?

It is necessary so that we are able to pull the latest jwks when validating id_token. It's stated in the document that it could change without prior notice so it would be better to get it from the source rather than having it offline.

Source: https://developers.gigya.com/display/GD/Validate+A+JWT+from+SAP+Customer+Data+Cloud

Public keys are subject to change without warning for security reasons. Recommended best practice is to check the keyid returned in the JWT header against the kid (Key ID) of the public key you have stored from accounts.getJWTPublicKey, or that you received from the OP, and if they do not match, you must update your public key using accounts.getJWTPublicKey or contacting the OP.

Workaround

As a workaround, I do:

gigya.request('fidm.oidc.op.getMetadata')

Note

This endpoint is not listed in the documentation for some reason.

[iBaryo]

52

[jsunico]

Hi @iBaryo, thanks for merging my request. :) May I know when I can expect the new npm version, please? Thank you.