> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to use OpenID Connect (OIDC) discovery to configure applications with Auth0 using SDKs.

# Configure Applications with OIDC Discovery

[OpenID Connect (OIDC) Discovery](https://openid.net/specs/openid-connect-discovery-1_0-final.html#RFC5785) documents contain metadata about the <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=identity+provider">identity provider</Tooltip> (IdP). Adding discovery to your SDK to point your application to the `./wellknown` endpoint to consume information about your IdP could help configure your integration with the IdP.

Integrating OIDC discovery into your SDK provides:

* Exposed endpoints of the IdP
* Standard [OIDC supported claims and scope](/docs/get-started/apis/scopes/openid-connect-scopes) (this excludes [custom claims](/docs/secure/tokens/json-web-tokens/create-custom-claims) and scopes defined in your tenant)
* Features supported by the IdP

You can configure applications with the [OpenID Connect (OIDC)](https://openid.net/specs/openid-connect-discovery-1_0.html) discovery documents found at: `https://{yourDomain}/.well-known/openid-configuration`.

### Sample response

```json lines expandable
{
  "issuer": "https://{yourDomain}.us.auth0.com/",
  "authorization_endpoint": "https://{yourDomain}.us.auth0.com/authorize",
  "token_endpoint": "https://{yourDomain}.us.auth0.com/oauth/token",
  "device_authorization_endpoint": "https://{yourDomain}.us.auth0.com/oauth/device/code",
  "userinfo_endpoint": "https://{yourDomain}.us.auth0.com/userinfo",
  "mfa_challenge_endpoint": "https://{yourDomain}.us.auth0.com/mfa/challenge",
  "jwks_uri": "https://{yourDomain}.us.auth0.com/.well-known/jwks.json",
  "registration_endpoint": "https://{yourDomain}.us.auth0.com/oidc/register",
  "revocation_endpoint": "https://{yourDomain}.us.auth0.com/oauth/revoke",
  "scopes_supported": [
    "openid",
    "profile",
    "offline_access",
    "name",
    "given_name",
    "family_name",
    "nickname",
    "email",
    "email_verified",
    "picture",
    "created_at",
    "identities",
    "phone",
    "address"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token"
  ],
  "code_challenge_methods_supported": [
    "S256",
    "plain"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "HS256",
    "RS256",
    "PS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "private_key_jwt"
  ],
  "claims_supported": [
    "aud",
    "auth_time",
    "created_at",
    "email",
    "email_verified",
    "exp",
    "family_name",
    "given_name",
    "iat",
    "identities",
    "iss",
    "name",
    "nickname",
    "phone_number",
    "picture",
    "sub"
  ],
  "request_uri_parameter_supported": false,
  "request_parameter_supported": false,
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "PS256"
  ]
}
```

### Sample implementation

For example, this is how to configure OIDC middleware for Katana v3 (OWIN):

1. Install the nuget package: **Microsoft.Owin.Security.OpenIdConnect** (v3.x.x)

2. Go to `App_Start\Startup.Auth.cs` and replace your implementation with the following:

   {/* codeblockOld.header.login.logInButton codeblockOld.header.login.configureSnippet */}

   ```text lines expandable
   app.UseCookieAuthentication(new CookieAuthenticationOptions
   {
       AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
   });

   app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
   {
       Authority = "https://{yourDomain}/",
       ClientId = "{yourClientId}",
       SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
       ResponseType = "token",
       Notifications = new OpenIdConnectAuthenticationNotifications
       {
           // OPTIONAL: you can read/modify the claims that are populated based on the JWT
           SecurityTokenValidated = context =>
           {
               // add Auth0 Access Token as claim
               var accessToken = context.ProtocolMessage.AccessToken;
               if (!string.IsNullOrEmpty(accessToken))
               {
                   context.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", accessToken));
               }
               return Task.FromResult(0);
           }
       }
   });
   ```

## RSA algorithm for JWTs

The OIDC middleware does not support <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWTs">JWTs</Tooltip> signed with symmetric keys. Make sure you configure your app to use the RSA algorithm using public/private keys.

1. Go to [Dashboard > Settings](https://manage.auth0.com/#/applications/\{YOUR_AUTH0_CLIENT_ID}/settings).
2. Scroll down to **Advanced Settings**.
3. Under the **OAuth** tab, set `RS256` as **Json Web Token(JWT) Signature Algorithm** and click **Save**.

With this setting, Auth0 will issue JWTs signed with your private signing key. Your app will verify them with your public signing key.

## Configure applications with OAuth 2.0 Authorization Server Metadata

If your application or SDK references the [OAuth RFC-8414](https://www.rfc-editor.org/rfc/rfc8414) <Tooltip tip="Authorization Server: Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user." cta="View Glossary" href="/docs/glossary?term=Authorization+Server">Authorization Server</Tooltip> Metadata specification, you can use the <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=OAuth">OAuth</Tooltip> alias to fetch metadata about the IdP: `/.well-known/oauth-authorization-server`. For example, the [Auth0 Model Context Protocol Server](/docs/get-started/auth0-mcp-server) recommends all OAuth applications reference the OAuth Authorization Server Metadata specification.

## Learn more

* [JSON Web Tokens](/docs/secure/tokens/json-web-tokens)
* [Create Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims)
