Section 2: Discovering OFP Endpoints via Well-Known

The well-known endpoint is your starting point for discovering the OFP's Authorization Server configuration, including all critical endpoint URLs you'll use throughout the API interaction.

Overview

The OpenID Connect discovery standard provides a well-known endpoint that returns the Authorization Server's configuration. This tells you where to send authorization requests, token requests, and how to access other critical endpoints.

Call the Well-Known Endpoint

What is the Well-Known Endpoint?

The well-known endpoint follows the OpenID Connect discovery standard and returns configuration information about the OFP's Authorization Server.

Making the Request

Endpoint:

GET https://{{AS_URL}}/.well-known/openid-configuration

Transport Security: TLS only (no mTLS required)

Headers:

No authentication required for this public endpoint
Standard HTTP headers (Accept: application/json)

Example cURL Request:

curl -X GET "https://{{AS_URL}}/.well-known/openid-configuration" \
  -H "Accept: application/json"

Understanding the Response

The response contains critical URLs and configuration you'll use throughout your API interactions. Key fields:

Field	Purpose	Notes
`issuer`	Identity of the OFP Authorization Server	Must match the `iss` claim in authorization responses
`authorization_endpoint`	URL to send user for consent authorization	Used in authorization code flow
`token_endpoint`	URL to exchange authorization code for tokens	Acquires access tokens and ID tokens
`pushed_authorization_request_endpoint`	URL for submitting Pushed Authorization Requests	Required before authorization flow (FAPI 2.0 mandate)
`userinfo_endpoint`	URL to retrieve authenticated user information	Returns claims about the user
`introspection_endpoint`	URL to check token validity	Validate token status
`revocation_endpoint`	URL to revoke tokens and consents	Revoke consent or tokens
`jwks_uri`	URL to retrieve OFP's public keys	Used for signature verification
`mtls_endpoint_aliases`	mTLS versions of sensitive endpoints	Use for certificate-based authentication

Store these URLs in your application or Postman environment. You'll reference them in subsequent sections.

Important Notes on Well-Known Response

require_pushed_authorization_requests will be true - all authorization requests must use PAR
response_types_supported will be ["code"] - only authorization code flow is supported
code_challenge_methods_supported will be ["S256"] - PKCE with SHA256 is required
scopes_supported includes openid and accounts

Next Steps

You now have the OFP endpoint URLs. Proceed to:

Section 3: Obtaining Access Tokens via Client Credentials Grant - Learn how to authenticate your application
Section 4: Discovering Data Providers - Use the token to discover available DPs

Previous: Pre-requisites
Next: Client Authentication Methods