diff --git a/classes/OIDCDiscoveryGenerator.php b/classes/OIDCDiscoveryGenerator.php
new file mode 100644
index 0000000000000000000000000000000000000000..1eac4595370e7d47dc6cd9145df7daf9003acff8
--- /dev/null
+++ b/classes/OIDCDiscoveryGenerator.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace RAP;
+
+class OIDCDiscoveryGenerator {
+
+ private $locator;
+
+ public function __construct(Locator $locator) {
+ $this->locator = $locator;
+ }
+
+ public function getConfiguration() {
+
+ $config = $this->locator->config;
+
+ $discoveryConfig = [];
+
+ $host = filter_input(INPUT_SERVER, 'HTTP_HOST', FILTER_SANITIZE_STRING);
+ $baseUrl = 'https://' . $host . $config->contextRoot;
+
+ $discoveryConfig['issuer'] = $baseUrl;
+ $discoveryConfig['authorization_endpoint'] = $baseUrl . '/auth/oauth2/authorize';
+ $discoveryConfig['token_endpoint'] = $baseUrl . '/auth/oauth2/token';
+ $discoveryConfig['jwks_uri'] = $baseUrl . '/auth/oidc/jwks';
+ $discoveryConfig['scopes_supported'] = ['openid', 'email', 'profile'];
+ $discoveryConfig['grant_types_supported'] = ['authorization_code', 'client_credentials', 'refresh_token', 'urn:ietf:params:oauth:grant-type:token-exchange'];
+ $discoveryConfig['id_token_signing_alg_values_supported'] = ['RS256'];
+ $discoveryConfig['claims_supported'] = ['sub', 'iss', 'iat', 'exp', 'name', 'aud', 'email', 'given_name', 'family_name', 'org'];
+
+ return $discoveryConfig;
+ }
+
+}
diff --git a/include/front-controller.php b/include/front-controller.php
index ed05c7dce12d5747007dd61a1e35ee72941b200a..7d7180fcb53a70c3897bf295c791fe1196614602 100644
--- a/include/front-controller.php
+++ b/include/front-controller.php
@@ -70,6 +70,12 @@ function renderMainPage(RAP\AuthPageModel $authPageModel) {
'model' => $authPageModel));
}
+Flight::route('GET /.well-known/openid-configuration', function() {
+ global $locator;
+ $discoveryGen = new RAP\OIDCDiscoveryGenerator($locator);
+ Flight::json($discoveryGen->getConfiguration());
+});
+
Flight::route('GET /auth/oauth2/authorize', function() {
session_start();