OIDC discovery validator

Per OpenID Connect Discovery 1.0

Fetches /.well-known/openid-configuration for the issuer host and checks mandatory fields, HTTPS endpoints, issuer consistency, PKCE and signing algorithms.

What is this, and when do I need it?

What is this?

OpenID Connect Discovery 1.0 lets clients learn an issuer's endpoints and supported features from a standard JSON document at /.well-known/openid-configuration. This tool fetches the document for a given issuer host and checks the mandatory fields (issuer, authorization_endpoint, jwks_uri, response_types_supported, subject_types_supported, id_token_signing_alg_values_supported), endpoint HTTPS, issuer consistency, PKCE method advertisement and recommended scopes.

When do I need it?

Before pointing a client at a new OIDC provider, after changing the configuration of your own provider, or as a quick sanity check when integrating a vendor that ships an SSO endpoint. The tool also makes a good spec primer if you need to explain to a colleague why a particular field is mandatory.

Server path: this tool does NOT run browser-local. We fetch the discovery document via our server (browsers cannot do CORS-free fetches against foreign .well-known paths). We do not log the host or the result. 12 requests per minute per IP.