Metadata endpoint

OAuth2.0 Authorization Server Metadata (RFC8414) endpoint provide the metadata of your authorization server. Since the metadata results can be a combination of OAuthlib’s Endpoint (see Preconfigured all-in-one servers), the MetadataEndpoint’s class takes a list of Endpoints in parameter, and aggregate the metadata in the response.

See below an example of usage with bottle-oauthlib when using a LegacyApplicationServer (password grant) endpoint:

import bottle
from bottle_oauthlib.oauth2 import BottleOAuth2
from oauthlib import oauth2

app = bottle.Bottle()
app.authmetadata = BottleOAuth2(app)

oauthlib_server = oauth2.LegacyApplicationServer(oauth2.RequestValidator())
app.authmetadata.initialize(oauth2.MetadataEndpoint([oauthlib_server], claims={
    "issuer": "https://xx",
    "token_endpoint": "https://xx/token",
    "revocation_endpoint": "https://xx/revoke",
    "introspection_endpoint": "https://xx/tokeninfo"
}))


@app.get('/.well-known/oauth-authorization-server')
@app.authmetadata.create_metadata_response()
def metadata():
    pass


if __name__ == "__main__":
    app.run()  # pragma: no cover

Sample response’s output:

$ curl -s http://localhost:8080/.well-known/oauth-authorization-server|jq .
{
  "issuer": "https://xx",
  "token_endpoint": "https://xx/token",
  "revocation_endpoint": "https://xx/revoke",
  "introspection_endpoint": "https://xx/tokeninfo",
  "grant_types_supported": [
    "password",
    "refresh_token"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "revocation_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ]
}
class oauthlib.oauth2.MetadataEndpoint(endpoints, claims={}, raise_errors=True)[source]

OAuth2.0 Authorization Server Metadata endpoint.

This specification generalizes the metadata format defined by OpenID Connect Discovery 1.0 in a way that is compatible with OpenID Connect Discovery while being applicable to a wider set of OAuth 2.0 use cases. This is intentionally parallel to the way that OAuth 2.0 Dynamic Client Registration Protocol [RFC7591] generalized the dynamic client registration mechanisms defined by OpenID Connect Dynamic Client Registration 1.0 in a way that is compatible with it.

create_metadata_response(uri, http_method='GET', body=None, headers=None)[source]

Create metadata response

validate_metadata_server()[source]
Authorization servers can have metadata describing their configuration. The following authorization server metadata values are used by this specification. More details can be found in RFC8414 section 2 :
issuer
REQUIRED
authorization_endpoint
URL of the authorization server’s authorization endpoint [RFC6749#Authorization]. This is REQUIRED unless no grant types are supported that use the authorization endpoint.
token_endpoint
URL of the authorization server’s token endpoint [RFC6749#Token]. This is REQUIRED unless only the implicit grant type is supported.
scopes_supported
RECOMMENDED.
response_types_supported
REQUIRED.
Other OPTIONAL fields:
jwks_uri, registration_endpoint, response_modes_supported
grant_types_supported
OPTIONAL. JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports. The array values used are the same as those used with the “grant_types” parameter defined by “OAuth 2.0 Dynamic Client Registration Protocol” [RFC7591]. If omitted, the default value is “[“authorization_code”, “implicit”]”.

token_endpoint_auth_methods_supported

token_endpoint_auth_signing_alg_values_supported

service_documentation

ui_locales_supported

op_policy_uri

op_tos_uri

revocation_endpoint

revocation_endpoint_auth_methods_supported

revocation_endpoint_auth_signing_alg_values_supported

introspection_endpoint

introspection_endpoint_auth_methods_supported

introspection_endpoint_auth_signing_alg_values_supported

code_challenge_methods_supported

Additional authorization server metadata parameters MAY also be used. Some are defined by other specifications, such as OpenID Connect Discovery 1.0 [OpenID.Discovery].

validate_metadata_token(claims, endpoint)[source]

If the token endpoint is used in the grant type, the value of this parameter MUST be the same as the value of the “grant_type” parameter passed to the token endpoint defined in the grant type definition.