OIDC `.well-known/openid-configuration` incomplete

According to OpenID Connect Discovery 1.0 spec defining userinfo_endpoint is recommended.

I would like to know the endpoint for manual token validation, but am unable to find the endpoint URL myself.

Hi there! :wave:

Iā€™m one of the devs who worked on this feature (ID token in jobs) so I can shed some light on this.

userinfo endpoint is an OAuth 2.0 Protected Resource and the client should send the Access Token as Bearer Token in the header.

Our current implementation of OIDC only supports ID Token response type (as shown in the discovery document). Therefore, making requests to CircleCI API with an ID token is not supported. We encourage clients to use it as proof of authentication of the current job when needed. For example, a deployment job needs to assume a role in AWS, impersonate an account in GCP, or authenticate with Vault.

Since the token in jobs is an ID Token in JWT format, if needed, clients can validate the token by verifying its signature. the signing public key is published at the jwks_uri endpoint.

really appreciate your feedback and hope my comment helps. please share more thoughts/feedback anytime! :smiley:

1 Like