Skip to content

OIDC Endpoints

stubIdP exposes a standard OpenID Connect endpoint set. The base path depends on the runtime:

RuntimeBase URL
Node.js CLIhttp://localhost:8484
Cloudflare Workershttps://<worker>.workers.dev
GET {base}/.well-known/openid-configuration

Returns the standard OIDC Provider Metadata document, including all endpoint URLs, supported scopes, response types, and signing algorithms.

GET {base}/auth

Initiates the authorization code flow. Standard OIDC query parameters:

ParameterRequiredDescription
client_idYesMust match the configured client ID
redirect_uriYesMust match the configured redirect URI
response_typeYescode
scopeYesSpace-separated scopes (e.g. openid profile email)
stateRecommendedOpaque value for CSRF protection
nonceRecommendedValue for replay attack prevention
POST {base}/token

Exchanges an authorization code for tokens. Supports the authorization_code grant type.

Request body (form-encoded):

FieldDescription
grant_typeauthorization_code
codeAuthorization code received from the callback
redirect_uriMust match the original authorization request
client_idClient ID
client_secretClient secret

The response includes access_token, id_token, and optionally refresh_token when offline_access is requested.

GET {base}/me

Returns claims about the authenticated user. Requires a valid Bearer access token in the Authorization header.

GET {base}/jwks

Returns the JSON Web Key Set used to verify token signatures. Use this endpoint in your application for automatic key discovery.

GET {base}/session/end

Initiates RP-Initiated Logout (OpenID Connect RP-Initiated Logout 1.0).

ParameterDescription
id_token_hintPreviously issued ID token. Used to identify the session to end.
post_logout_redirect_uriURI to redirect to after logout. Must match the value configured via --post-logout-redirect-uri / STUBIDP_POST_LOGOUT_REDIRECT_URI.
stateOpaque value passed back to the client in the post-logout redirect.

When --skip-prompt is enabled, stubIdP auto-approves logout without showing a confirmation page and immediately performs back-channel logout notifications before destroying the session.

These endpoints are only available when stubIdP is started with --enable-registration.

POST {base}/register

Registers a new client. When --registration-initial-access-token is set, the request must include Authorization: Bearer <token>.

Request body (JSON):

FieldRequiredDescription
redirect_urisYesArray of allowed redirect URIs
client_nameNoHuman-readable client name
grant_typesNoDefaults to ["authorization_code"]
response_typesNoDefaults to ["code"]

The response includes client_id, client_secret, registration_client_uri, and registration_access_token.

GET {base}/register/{client_id}

Returns the current registration metadata for the client. Requires Authorization: Bearer <registration_access_token>.

PUT {base}/register/{client_id}

Replaces the client’s registration metadata. The full client object must be supplied (not a partial patch). Requires Authorization: Bearer <registration_access_token>.

DELETE {base}/register/{client_id}

Removes the client registration. Requires Authorization: Bearer <registration_access_token>.

These endpoints are not part of the OIDC spec and are served at the root path regardless of runtime.

GET /healthz

Always returns 200 OK when the server process is running. Use this for liveness probes.

{ "status": "ok" }
GET /readyz

Returns 200 OK when stubIdP is ready to serve traffic, or 503 Service Unavailable if any check fails. Use this for readiness probes.

Checks:

CheckAlways presentDescription
oidcYesOIDC provider initialized and issuer set
dbWhen DB configuredDatabase reachable via SELECT 1

Example response (all healthy):

{
"status": "ok",
"checks": {
"oidc": { "status": "ok" },
"db": { "status": "ok" }
}
}

Example response (DB unreachable):

{
"status": "error",
"checks": {
"oidc": { "status": "ok" },
"db": { "status": "error", "error": "Connection refused" }
}
}