Home Documentation Authentication and User Management Service Integration Guides OpenID Connect Discovery Endpoint

OpenID Connect Discovery Endpoint

Last updated: January 2026

The Agglestone Authentication and User Management Service implements the OpenID Connect Discovery specification, allowing standards-based OAuth2 and OpenID Connect client libraries to automatically discover all the configuration information they need. This eliminates the need for manual endpoint configuration and ensures your integration stays up-to-date with service changes.

What Is OpenID Connect Discovery?

OpenID Connect Discovery is a standardized way for clients to automatically discover the configuration of an OpenID Connect provider. Instead of manually configuring authorization endpoints, token endpoints, supported scopes, and public keys, client libraries can fetch this information automatically from a well-known discovery endpoint.

This means you only need to provide your tenant’s authority URL to a standards-based client library, and it will automatically discover everything else it needs to authenticate users and manage tokens.

Your Tenant’s Discovery Endpoint

Your tenant’s discovery endpoint is located at:

https://auth.agglestone.com/tenant/{tenantId}/v2.0/Auth/.well-known/openid-configuration

Example: Let’s say your Tenant Id is 79199f3a-6669-4a21-ac5f-5dec93d90b57, then your discovery URL would be:

https://auth.agglestone.com/tenant/79199f3a-6669-4a21-ac5f-5dec93d90b57/v2.0/Auth/.well-known/openid-configuration

Don’t have your Tenant Id yet? Log into your account at https://portal.agglestone.com to find it. Then replace the {tenantId} in the URL above with your own Tenant Id.

How Standards-Based Clients Use Discovery

Standards-based OAuth2 and OpenID Connect client libraries automatically use the discovery endpoint to configure themselves. When you provide your tenant’s authority URL to a client library, it will:

  1. Construct the discovery URL – The library automatically appends /.well-known/openid-configuration to your authority URL
  2. Fetch the configuration – It makes an HTTP GET request to the discovery endpoint
  3. Parse the JSON response – The discovery endpoint returns a JSON object with all configuration information
  4. Auto-configure endpoints – The library uses the discovered endpoints for authorization, token exchange, user info, and other operations
  5. Discover supported features – It learns about supported scopes, response types, and other capabilities
  6. Fetch public keys – It retrieves the JWKS (JSON Web Key Set) endpoint URL to get public keys for token verification

All of this happens automatically when you initialize the client library with your tenant’s authority URL. You don’t need to manually configure any endpoints or keys.

What Information Is Discovered?

The discovery endpoint returns a JSON object containing all the information a client needs, including:

  • Authorization endpoint – Where to send users for login
  • Token endpoint – Where to exchange authorization codes for tokens
  • User info endpoint – Where to get user profile information
  • JWKS URI – Where to fetch public keys for token verification
  • Supported scopes – What scopes are available (openid, profile, email, etc.)
  • Supported response types – What response types are supported (code, id_token, etc.)
  • Supported grant types – What grant types are available
  • Token signing algorithms – What algorithms are used to sign tokens
  • End session endpoint – Where to send users for logout
  • And more – Additional configuration as defined by the OpenID Connect Discovery specification

Benefits of Using Discovery

Using the discovery endpoint provides several key advantages:

  • No Manual Configuration – You don’t need to hardcode endpoint URLs or keep them updated
  • Automatic Updates – If endpoints change, your client library automatically discovers the new endpoints
  • Standards Compliance – Works with any OpenID Connect compliant client library
  • Simplified Integration – Just provide your authority URL and the library handles the rest
  • Reduced Errors – No risk of typos or outdated endpoint URLs
  • Future-Proof – Your integration automatically adapts to service changes

Tenant Isolation

Each tenant has its own discovery endpoint with tenant-specific configuration. This ensures complete isolation between tenants—your discovery endpoint only reveals configuration for your tenant, and all endpoints are tenant-scoped. This is part of the multi-tenant architecture that keeps your authentication data and configuration completely separate from other tenants.

Ready to integrate? Check out the Quick Start Guide to see how easy it is to use discovery with standard client libraries!