Hosted OIDC Provider

Overview

We deployed an OpenID Connect Provider (OP) with SIWE support hosted under . This deployment is supported by the ENS DAO, under in order to have a DAO-governed OpenID Connect Provider.

Developers will be able to use a standard OIDC client to connect to the hosted OP. Please see our for more information about supported OIDC features.

To use the hosted OP, developers are typically interested in the following steps:

• Retrieving the OP configuration.

• Registering the OIDC client with the OP.

• Using the OP configuration to configure the OIDC client.

OpenID Connect Provider Configuration

The OP supports the OpenID Connect Provider Configuration specification as per . To fetch the OP configuration which is required for configuring OIDC clients, developers can make a GET HTTPS request to the following endpoint as follows:

curl https://oidc.signinwithethereum.org/.well-known/openid-configuration

This will result in the latest OP configuration object that provides information about supported OIDC flows, endpoints, public keys, signing algorithm, client authentication types, etc. as follows:

{
   "issuer":"https://oidc.signinwithethereum.org/",
   "authorization_endpoint":"https://oidc.signinwithethereum.org/authorize",
   "token_endpoint":"https://oidc.signinwithethereum.org/token",
   "userinfo_endpoint":"https://oidc.signinwithethereum.org/userinfo",
   "jwks_uri":"https://oidc.signinwithethereum.org/jwk",
   "registration_endpoint":"https://oidc.signinwithethereum.org/register",
   "scopes_supported":[
      "openid",
      "profile"
   ],
   "response_types_supported":[
      "code",
      "id_token",
      "token id_token"
   ],
   "subject_types_supported":[
      "pairwise"
   ],
   "id_token_signing_alg_values_supported":[
      "RS256"
   ],
   "userinfo_signing_alg_values_supported":[
      "RS256"
   ],
   "token_endpoint_auth_methods_supported":[
      "client_secret_basic",
      "client_secret_post",
      "private_key_jwt"
   ],
   "claims_supported":[
      "sub",
      "aud",
      "exp",
      "iat",
      "iss",
      "preferred_username",
      "picture"
   ],
   "op_policy_uri":"https://oidc.signinwithethereum.org/legal/privacy-policy.pdf",
   "op_tos_uri":"https://oidc.signinwithethereum.org/legal/terms-of-use.pdf"
}

OpenID Connect Client Registration

To use the hosted OIDC server it is required to register the application as an OIDC client using the OIDC client registration of oidc.signinwithethereum.org. Currently, no user interface for OIDC client registration is supported. For that reason, developers will need to use the REST API.

To register a new OIDC client, the following request has to be adapted:

curl -X POST https://oidc.signinwithethereum.org/register \
   -H 'Content-Type: application/json' \
   -d '{"redirect_uris": ["https://<your.comaind>/cb"]}'

The OIDC server needs to know whether the user is allowed to be redirected to the URI in the OIDC request after authentication for the specific OIDC client. This must be configured through the redirect_uris parameter.

The response will be a OIDC client metadata object that contains the client_id and client_secret that have to be used to retrieve the OIDC tokens from the token endpoint. Developers have to make sure that those parameters have to be kept secret.

The following is an example response:

{
    "client_id": "9b49de48-d198-47e7-afff-7ee26cbcbc95",
    "client_secret": "er...",
    "registration_access_token": "2a...",
    "registration_client_uri": "https://oidc.signinwithethereum.org/client/9b49de48-d198-47e7-afff-7ee26cbcbc95",
    "redirect_uris": ["https://<your.domain>/cb"]
}

A client can then be updated or deleted using the registration_client_uri with the registration_access_token as a Bearer token.