OIDC · Capability
OpenID Connect API
OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of end-users based on the authentication performed by an authorization server, and to obtain basic profile information about the end-user in an interoperable and REST-like manner. This specification covers the core OIDC endpoints including discovery, token, userinfo, and JWKS.
What You Can Do
GET
Getdiscovery
— OpenID Connect Discovery
/.well-known/openid-configuration
GET
Authorize
— Authorization Endpoint
/authorize
POST
Gettoken
— Token Endpoint
/token
GET
Getuserinfo
— UserInfo Endpoint
/userinfo
POST
Postuserinfo
— UserInfo Endpoint (POST)
/userinfo
GET
Getjwks
— JSON Web Key Set Endpoint
/.well-known/jwks.json
GET
Endsession
— End Session Endpoint
/end-session
MCP Tools
getdiscovery
OpenID Connect Discovery
read-only
idempotent
authorize
Authorization Endpoint
read-only
idempotent
gettoken
Token Endpoint
getuserinfo
UserInfo Endpoint
read-only
idempotent
postuserinfo
UserInfo Endpoint (POST)
getjwks
JSON Web Key Set Endpoint
read-only
idempotent
endsession
End Session Endpoint
read-only
idempotent
Capability Spec
naftiko: 1.0.0-alpha2
info:
label: OpenID Connect API
description: OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol. It allows clients to verify
the identity of end-users based on the authentication performed by an authorization server, and to obtain basic profile
information about the end-user in an interoperable and REST-like manner. This specification covers the core OIDC endpoints
including discovery, token, userinfo, and JWKS.
tags:
- Oidc
- API
created: '2026-05-06'
modified: '2026-05-06'
capability:
consumes:
- type: http
namespace: oidc
baseUri: https://example.com
description: OpenID Connect API HTTP API.
authentication:
type: bearer
token: '{{OIDC_TOKEN}}'
resources:
- name: well-known-openid-configuration
path: /.well-known/openid-configuration
operations:
- name: getdiscovery
method: GET
description: OpenID Connect Discovery
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: authorize
path: /authorize
operations:
- name: authorize
method: GET
description: Authorization Endpoint
inputParameters:
- name: response_type
in: query
type: string
required: true
description: The value must include 'code' for the Authorization Code Flow, 'id_token' for the Implicit Flow, or
'code id_token' for the Hybrid Flow.
- name: client_id
in: query
type: string
required: true
description: The client identifier issued during registration.
- name: redirect_uri
in: query
type: string
required: true
description: The redirection URI to which the response will be sent. Must exactly match one of the redirection URIs
registered for the client.
- name: scope
in: query
type: string
required: true
description: Space-delimited list of scopes. Must include 'openid' to indicate an OIDC request. May also include
'profile', 'email', 'address', and 'phone'.
- name: state
in: query
type: string
description: An opaque value used by the client to maintain state between the request and callback. Recommended
for CSRF protection.
- name: nonce
in: query
type: string
description: A string value used to associate a client session with an ID Token and to mitigate replay attacks.
Required for implicit flow.
- name: prompt
in: query
type: string
description: Space-delimited list of values that specifies whether the authorization server prompts the end-user
for reauthentication and consent.
- name: login_hint
in: query
type: string
description: A hint to the authorization server about the login identifier the end-user might use.
- name: acr_values
in: query
type: string
description: Requested Authentication Context Class Reference values.
- name: code_challenge
in: query
type: string
description: PKCE code challenge derived from the code verifier.
- name: code_challenge_method
in: query
type: string
description: Code challenge method used to derive the code challenge.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: token
path: /token
operations:
- name: gettoken
method: POST
description: Token Endpoint
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: userinfo
path: /userinfo
operations:
- name: getuserinfo
method: GET
description: UserInfo Endpoint
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: postuserinfo
method: POST
description: UserInfo Endpoint (POST)
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: well-known-jwks-json
path: /.well-known/jwks.json
operations:
- name: getjwks
method: GET
description: JSON Web Key Set Endpoint
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: end-session
path: /end-session
operations:
- name: endsession
method: GET
description: End Session Endpoint
inputParameters:
- name: id_token_hint
in: query
type: string
description: The ID token previously issued to the client.
- name: post_logout_redirect_uri
in: query
type: string
description: The URI to redirect to after logout.
- name: state
in: query
type: string
description: Opaque value for maintaining state between request and callback.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
exposes:
- type: rest
port: 8080
namespace: oidc-rest
description: REST adapter for OpenID Connect API.
resources:
- path: /.well-known/openid-configuration
name: getdiscovery
operations:
- method: GET
name: getdiscovery
description: OpenID Connect Discovery
call: oidc.getdiscovery
outputParameters:
- type: object
mapping: $.
- path: /authorize
name: authorize
operations:
- method: GET
name: authorize
description: Authorization Endpoint
call: oidc.authorize
outputParameters:
- type: object
mapping: $.
- path: /token
name: gettoken
operations:
- method: POST
name: gettoken
description: Token Endpoint
call: oidc.gettoken
outputParameters:
- type: object
mapping: $.
- path: /userinfo
name: getuserinfo
operations:
- method: GET
name: getuserinfo
description: UserInfo Endpoint
call: oidc.getuserinfo
outputParameters:
- type: object
mapping: $.
- path: /userinfo
name: postuserinfo
operations:
- method: POST
name: postuserinfo
description: UserInfo Endpoint (POST)
call: oidc.postuserinfo
outputParameters:
- type: object
mapping: $.
- path: /.well-known/jwks.json
name: getjwks
operations:
- method: GET
name: getjwks
description: JSON Web Key Set Endpoint
call: oidc.getjwks
outputParameters:
- type: object
mapping: $.
- path: /end-session
name: endsession
operations:
- method: GET
name: endsession
description: End Session Endpoint
call: oidc.endsession
outputParameters:
- type: object
mapping: $.
- type: mcp
port: 9090
namespace: oidc-mcp
transport: http
description: MCP adapter for OpenID Connect API for AI agent use.
tools:
- name: getdiscovery
description: OpenID Connect Discovery
hints:
readOnly: true
destructive: false
idempotent: true
call: oidc.getdiscovery
outputParameters:
- type: object
mapping: $.
- name: authorize
description: Authorization Endpoint
hints:
readOnly: true
destructive: false
idempotent: true
call: oidc.authorize
with:
response_type: tools.response_type
client_id: tools.client_id
redirect_uri: tools.redirect_uri
scope: tools.scope
state: tools.state
nonce: tools.nonce
prompt: tools.prompt
login_hint: tools.login_hint
acr_values: tools.acr_values
code_challenge: tools.code_challenge
code_challenge_method: tools.code_challenge_method
inputParameters:
- name: response_type
type: string
description: The value must include 'code' for the Authorization Code Flow, 'id_token' for the Implicit Flow, or 'code
id_token' for the Hybrid Flow.
required: true
- name: client_id
type: string
description: The client identifier issued during registration.
required: true
- name: redirect_uri
type: string
description: The redirection URI to which the response will be sent. Must exactly match one of the redirection URIs
registered for the client.
required: true
- name: scope
type: string
description: Space-delimited list of scopes. Must include 'openid' to indicate an OIDC request. May also include 'profile',
'email', 'address', and 'phone'.
required: true
- name: state
type: string
description: An opaque value used by the client to maintain state between the request and callback. Recommended for
CSRF protection.
- name: nonce
type: string
description: A string value used to associate a client session with an ID Token and to mitigate replay attacks. Required
for implicit flow.
- name: prompt
type: string
description: Space-delimited list of values that specifies whether the authorization server prompts the end-user for
reauthentication and consent.
- name: login_hint
type: string
description: A hint to the authorization server about the login identifier the end-user might use.
- name: acr_values
type: string
description: Requested Authentication Context Class Reference values.
- name: code_challenge
type: string
description: PKCE code challenge derived from the code verifier.
- name: code_challenge_method
type: string
description: Code challenge method used to derive the code challenge.
outputParameters:
- type: object
mapping: $.
- name: gettoken
description: Token Endpoint
hints:
readOnly: false
destructive: false
idempotent: false
call: oidc.gettoken
outputParameters:
- type: object
mapping: $.
- name: getuserinfo
description: UserInfo Endpoint
hints:
readOnly: true
destructive: false
idempotent: true
call: oidc.getuserinfo
outputParameters:
- type: object
mapping: $.
- name: postuserinfo
description: UserInfo Endpoint (POST)
hints:
readOnly: false
destructive: false
idempotent: false
call: oidc.postuserinfo
outputParameters:
- type: object
mapping: $.
- name: getjwks
description: JSON Web Key Set Endpoint
hints:
readOnly: true
destructive: false
idempotent: true
call: oidc.getjwks
outputParameters:
- type: object
mapping: $.
- name: endsession
description: End Session Endpoint
hints:
readOnly: true
destructive: false
idempotent: true
call: oidc.endsession
with:
id_token_hint: tools.id_token_hint
post_logout_redirect_uri: tools.post_logout_redirect_uri
state: tools.state
inputParameters:
- name: id_token_hint
type: string
description: The ID token previously issued to the client.
- name: post_logout_redirect_uri
type: string
description: The URI to redirect to after logout.
- name: state
type: string
description: Opaque value for maintaining state between request and callback.
outputParameters:
- type: object
mapping: $.
binds:
- namespace: env
keys:
OIDC_TOKEN: OIDC_TOKEN