API Stability Long-Term

The fetchOIDCMetadataFromDiscoveryEndpoint() GraphQL query field can fetch the OIDC metadata from a discovery endpoint provided (e.g., .well-known/openid-configuration).

For more information on OpenID Connect, see the Authenticating with OpenID Connect documentation page. You may also want to look at Authentication and Identity Providers for related information.

Syntax

Below is the syntax for the fetchOIDCMetadataFromDiscoveryEndpoint() query field:

graphql
fetchOIDCMetadataFromDiscoveryEndpoint(
     discoveryEndpoint: string!
   ): WellKnownEndpointDetails

Below is an example of this query, along with requests for several return parameters:

Raw
graphql
query {
  fetchOIDCMetadataFromDiscoveryEndpoint(discoveryEndpoint: "https://oidc.company.com") {
    authorizationEndpoint
    jwksEndpoint
    registrationEndpoint
    tokenEndpoint
    userInfoEndpoint
  }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  fetchOIDCMetadataFromDiscoveryEndpoint(discoveryEndpoint: \"https://oidc.company.com\") {
    authorizationEndpoint
    jwksEndpoint
    registrationEndpoint
    tokenEndpoint
    userInfoEndpoint
  }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  fetchOIDCMetadataFromDiscoveryEndpoint(discoveryEndpoint: \"https://oidc.company.com\") {
    authorizationEndpoint
    jwksEndpoint
    registrationEndpoint
    tokenEndpoint
    userInfoEndpoint
  }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  fetchOIDCMetadataFromDiscoveryEndpoint(discoveryEndpoint: \"https://oidc.company.com\") { ^
    authorizationEndpoint ^
    jwksEndpoint ^
    registrationEndpoint ^
    tokenEndpoint ^
    userInfoEndpoint ^
  } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  fetchOIDCMetadataFromDiscoveryEndpoint(discoveryEndpoint: \"https://oidc.company.com\") {
    authorizationEndpoint
    jwksEndpoint
    registrationEndpoint
    tokenEndpoint
    userInfoEndpoint
  }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "query {
  fetchOIDCMetadataFromDiscoveryEndpoint(discoveryEndpoint: \"https://oidc.company.com\") {
    authorizationEndpoint
    jwksEndpoint
    registrationEndpoint
    tokenEndpoint
    userInfoEndpoint
  }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  fetchOIDCMetadataFromDiscoveryEndpoint(discoveryEndpoint: \"https://oidc.company.com\") {
    authorizationEndpoint
    jwksEndpoint
    registrationEndpoint
    tokenEndpoint
    userInfoEndpoint
  }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  fetchOIDCMetadataFromDiscoveryEndpoint(discoveryEndpoint: \"https://oidc.company.com\") {
    authorizationEndpoint
    jwksEndpoint
    registrationEndpoint
    tokenEndpoint
    userInfoEndpoint
  }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Returned Datatypes

The returned datatype WellKnownEndpointDetails has its own parameters. Below is a list of them along with their datatypes and a description of each:

Table: WellKnownEndpointDetails

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Oct 7, 2024
authorizationEndpointstring  Long-TermA URL to the endpoint a user should be redirected to when authorizing.
issuerstringyes Long-TermThe authentication provider issuer.
jwksEndpointstring  Long-TermA URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
registrationEndpointstring  Long-TermTo use OIDC as a client, PUBLIC_URL must be set, LogScale must be registered as a client with your OpenID provider, and the provider must allow %PUBLIC_URL%/auth/oidc as a valid redirect endpoint for the client.
tokenEndpointstring  Long-TermA URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
tokenEndpointAuthMethodstringyes Long-TermThe authentication method used to authenticate LogScale against the token endpoint. Can either be client_secret_basic or client_secret_post for placing the client id and secret in either basic auth or post data, respectively. Defaults to client_secret_basic, or client_secret_post if client_secret_basic is not supported as per the discovery endpoint.
userInfoEndpointstring  Long-TermA URL to the user info endpoint used to retrieve user information from an access token.