OIDC Discovery
OIDC Discovery
The OpenID Connect discovery endpoint returns metadata about the SeloraX Identity Provider. OAuth client libraries can use this document to automatically configure endpoints, supported scopes, and grant types.
GET /api/oauth/.well-known/openid-configuration
This is a public endpoint — no authentication required.
Response
{
"issuer": "https://api.selorax.io",
"authorization_endpoint": "https://api.selorax.io/api/oauth/authorize",
"token_endpoint": "https://api.selorax.io/api/oauth/token",
"userinfo_endpoint": "https://api.selorax.io/api/oauth/userinfo",
"revocation_endpoint": "https://api.selorax.io/api/oauth/revoke",
"registration_endpoint": "https://api.selorax.io/api/oauth/clients",
"scopes_supported": ["openid", "profile", "email", "phone", "store"],
"response_types_supported": ["code"],
"grant_types_supported": ["authorization_code", "refresh_token"],
"subject_types_supported": ["public"],
"token_endpoint_auth_methods_supported": ["client_secret_post", "none"],
"userinfo_endpoint_auth_methods_supported": ["bearer", "client_secret_post"],
"claims_supported": [
"sub", "name", "picture", "email", "email_verified",
"phone_number", "phone_number_verified",
"store_id", "store_name", "role"
],
"code_challenge_methods_supported": ["S256"]
}:::info
The discovery document advertises only S256 for PKCE, but the authorization endpoint also accepts plain as a code challenge method. Use S256 (recommended) for maximum compatibility with the discovery document.
:::
Fields
| Field | Description |
|---|---|
issuer | The base URL of the identity provider |
authorization_endpoint | URL to start the authorization flow |
token_endpoint | URL for token exchange |
userinfo_endpoint | URL for fetching user profile |
revocation_endpoint | URL for revoking tokens |
registration_endpoint | URL for registering clients |
scopes_supported | Available scopes for authorization |
response_types_supported | Only code (Authorization Code flow) |
grant_types_supported | authorization_code and refresh_token |
token_endpoint_auth_methods_supported | client_secret_post (confidential) and none (public with PKCE) |
userinfo_endpoint_auth_methods_supported | bearer (GET with Authorization header) and client_secret_post (POST with client credentials in body) |
claims_supported | All claims that may appear in UserInfo responses |
code_challenge_methods_supported | PKCE method: S256 (recommended). The authorization endpoint also accepts plain. |
Using with OAuth Libraries
Most OAuth/OIDC client libraries support automatic discovery. Point them at the discovery URL:
Node.js (openid-client)
const { Issuer } = require('openid-client');
const selorax = await Issuer.discover('https://api.selorax.io/api/oauth/.well-known/openid-configuration');
const client = new selorax.Client({
client_id: 'sx_oc_...',
client_secret: 'sx_os_...',
redirect_uris: ['https://example.com/callback'],
response_types: ['code'],
});Python (authlib)
from authlib.integrations.requests_client import OAuth2Session
session = OAuth2Session(
client_id='sx_oc_...',
client_secret='sx_os_...',
redirect_uri='https://example.com/callback',
)
# Auto-discover endpoints
metadata = session.fetch_access_token(
url='https://api.selorax.io/api/oauth/.well-known/openid-configuration'
)Custom Claims
SeloraX extends the standard OIDC claims with e-commerce-specific fields:
| Claim | Standard | Description |
|---|---|---|
sub | OIDC | {user_type}:{user_id} format |
name | OIDC | User's display name |
picture | OIDC | Avatar URL |
email | OIDC | Email address |
email_verified | OIDC | Boolean |
phone_number | OIDC | Phone in E.164 format |
phone_number_verified | OIDC | Boolean |
store_id | Custom | SeloraX store ID |
store_name | Custom | Store display name |
role | Custom | User's role (customer, admin, etc.) |