Skip to content

Discovery & JWKS

/.well-known/openid-configuration

The discovery document advertises every supported feature and every endpoint. Always read it at runtime — paths and capabilities can change.

bash curl https://id.littlexlittle.org/.well-known/openid-configuration

Sample response:

json { "issuer": "https://id.littlexlittle.org", "authorization_endpoint": "https://id.littlexlittle.org/oidc/authorize", "token_endpoint": "https://id.littlexlittle.org/oidc/token", "userinfo_endpoint": "https://id.littlexlittle.org/oidc/userinfo", "revocation_endpoint": "https://id.littlexlittle.org/oidc/revoke", "introspection_endpoint": "https://id.littlexlittle.org/oidc/introspect", "end_session_endpoint": "https://id.littlexlittle.org/oidc/logout", "jwks_uri": "https://id.littlexlittle.org/.well-known/jwks.json", "scopes_supported": ["openid","profile","email","offline_access","lxl.access"], "response_types_supported": ["code"], "grant_types_supported": ["authorization_code","refresh_token"], "subject_types_supported": ["public"], "id_token_signing_alg_values_supported": ["RS256"], "code_challenge_methods_supported": ["S256"], "token_endpoint_auth_methods_supported": ["client_secret_basic","client_secret_post","none"], "claims_supported": [ "sub","iss","aud","exp","iat","auth_time","nonce", "name","given_name","family_name","picture","email","email_verified", "lxl.app","lxl.access","lxl.master","lxl.role","lxl.links" ], "ui_locales_supported": ["en"], "request_parameter_supported": false, "request_uri_parameter_supported": false, "require_request_uri_registration": false, "claims_parameter_supported": false }

/.well-known/jwks.json

Public keys for verifying id_token signatures.

bash curl https://id.littlexlittle.org/.well-known/jwks.json

json { "keys": [ { "kty": "RSA", "use": "sig", "alg": "RS256", "kid": "m-ipibEBWSvzmoTLYdygRA", "n": "0vx7agoebGcQ...", "e": "AQAB" }, { "kty": "RSA", "use": "sig", "alg": "RS256", "kid": "previous-key-id", "n": "...", "e": "AQAB" } ] }

Key rotation

  • Keys rotate every 90 days.
  • The previous key remains in JWKS until all tokens it signed have expired (refresh TTL + grace).
  • Always look up the key by kid from the JWT header rather than picking the first one.
  • Cache JWKS for 6h max; refresh on kid miss.

/fedcm.json

The FedCM identity-provider manifest, served at the root for browser discovery.

json { "accounts_endpoint": "/oidc/fedcm/accounts", "client_metadata_endpoint": "/oidc/fedcm/metadata", "id_assertion_endpoint": "/oidc/fedcm/assertion", "login_url": "/login", "branding": { "background_color": "#5e35b1", "color": "#ffffff", "icons": [{ "url": "https://cdn.littlexlittle.org/brand/icon-192.png", "size": 192 }] } }