OpenID Connect (OIDC) Discovery documents contain metadata about the (IdP). Adding discovery to your SDK to point your application to the ./wellknown endpoint to consume information about your IdP could help configure your integration with the IdP. Integrating OIDC discovery into your SDK provides: You can configure applications with the OpenID Connect (OIDC) discovery documents found at: https://{yourDomain}/.well-known/openid-configuration.

Sample response

{
  "issuer": "https://{yourDomain}.us.auth0.com/",
  "authorization_endpoint": "https://{yourDomain}.us.auth0.com/authorize",
  "token_endpoint": "https://{yourDomain}.us.auth0.com/oauth/token",
  "device_authorization_endpoint": "https://{yourDomain}.us.auth0.com/oauth/device/code",
  "userinfo_endpoint": "https://{yourDomain}.us.auth0.com/userinfo",
  "mfa_challenge_endpoint": "https://{yourDomain}.us.auth0.com/mfa/challenge",
  "jwks_uri": "https://{yourDomain}.us.auth0.com/.well-known/jwks.json",
  "registration_endpoint": "https://{yourDomain}.us.auth0.com/oidc/register",
  "revocation_endpoint": "https://{yourDomain}.us.auth0.com/oauth/revoke",
  "scopes_supported": [
    "openid",
    "profile",
    "offline_access",
    "name",
    "given_name",
    "family_name",
    "nickname",
    "email",
    "email_verified",
    "picture",
    "created_at",
    "identities",
    "phone",
    "address"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token"
  ],
  "code_challenge_methods_supported": [
    "S256",
    "plain"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "HS256",
    "RS256",
    "PS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "private_key_jwt"
  ],
  "claims_supported": [
    "aud",
    "auth_time",
    "created_at",
    "email",
    "email_verified",
    "exp",
    "family_name",
    "given_name",
    "iat",
    "identities",
    "iss",
    "name",
    "nickname",
    "phone_number",
    "picture",
    "sub"
  ],
  "request_uri_parameter_supported": false,
  "request_parameter_supported": false,
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "PS256"
  ]
}

Sample implementation

For example, this is how to configure OIDC middleware for Katana v3 (OWIN):
  1. Install the nuget package: Microsoft.Owin.Security.OpenIdConnect (v3.x.x)
  2. Go to App_Start\Startup.Auth.cs and replace your implementation with the following: codeblockOld.header.login.logInButton codeblockOld.header.login.configureSnippet 
    app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
});

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = "https://{yourDomain}/",
    ClientId = "{yourClientId}",
    SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
    ResponseType = "token",
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        // OPTIONAL: you can read/modify the claims that are populated based on the JWT
        SecurityTokenValidated = context =>
        {
            // add Auth0 Access Token as claim
            var accessToken = context.ProtocolMessage.AccessToken;
            if (!string.IsNullOrEmpty(accessToken))
            {
                context.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", accessToken));
            }
            return Task.FromResult(0);
        }
    }
});


## RSA algorithm for JWTs

The OIDC middleware does not support <Tooltip  tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties.">JWTs</Tooltip> signed with symmetric keys. Make sure you configure your app to use the RSA algorithm using public/private keys.

1. Go to [Dashboard > Settings](https://manage.auth0.com/#/applications/{YOUR_AUTH0_CLIENT_ID}/settings).
2. Scroll down to **Advanced Settings**.
3. Under the **OAuth** tab, set `RS256` as **Json Web Token(JWT) Signature Algorithm** and click **Save**.

With this setting, Auth0 will issue JWTs signed with your private signing key. Your app will verify them with your public signing key.

## Configure applications with OAuth 2.0 Authorization Server Metadata

If your application or SDK references the [OAuth RFC-8414](https://www.rfc-editor.org/rfc/rfc8414) <Tooltip  tip="Authorization Server: Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user.">Authorization Server</Tooltip> Metadata specification, you can use the <Tooltip  tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows.">OAuth</Tooltip> alias to fetch metadata about the IdP: `/.well-known/oauth-authorization-server`. For example, the [Auth0 Model Context Protocol Server](/docs/get-started/auth0-mcp-server) recommends all OAuth applications reference the OAuth Authorization Server Metadata specification.

## Learn more

* [JSON Web Tokens](/docs/secure/tokens/json-web-tokens)
* [Create Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims)