Loading
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Query for the OpenID Connect Configuration

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Query for the OpenID Connect Configuration

            Use the OpenID Connect discovery endpoint to query for information about the Salesforce OpenID Connect configuration. Salesforce returns basic information about endpoints, supported scopes, and other values used for OpenID Connect authorization.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: All Editions

            A session isn’t required to access this endpoint.

            Note
            Note If your org has CORS enabled, users can still access the OpenID Connect discovery endpoint. For all other OAuth endpoints, you must pass an OAuth token with requests that require it.

            The format of the URL is https://MyDomainName.my.salesforce.com/.well-known/openid-configuration.

            Note
            Note

            For sandboxes and Experience Cloud sites, the URL format is different.

            For a sandbox, you can find your org’s My Domain login URL on the My Domain Setup page.

            For an Experience Cloud site, if it’s an authenticated LWR site created after Winter ’23, the URL structure has the format MyDomainName.my.site.com/mycommunityurlvforcesite/.well-known/openid-configuration. To find the value for your URL up to /openid-configuration, go to Setup | Custom URLs and find the full URL of the community with the same name as your Experience Cloud site.

            For all other types of Experience Cloud sites, MyDomainName.my.salesforce.com is replaced with the site’s URL, such as MyDomainName.my.site.com/mycommunityurl/.well-known/openid-configuration.

            For all scenarios, the URL must use the HTTPS protocol.

            OpenID Connect Discovery Endpoint Response

            The OpenID Connect Discovery endpoint returns the information in JSON format.

            {"issuer":"https://login.salesforce.com", 
"authorization_endpoint":"https://login.salesforce.com/services/oauth2/authorize",  
"token_endpoint":"https://login.salesforce.com/services/oauth2/token",  
"revocation_endpoint":"https://login.salesforce.com/services/oauth2/revoke",  
"userinfo_endpoint":"https://login.salesforce.com/services/oauth2/userinfo",  
"jwks_uri":"https://login.salesforce.com/id/keys",  
"registration_endpoint": "https://login.salesforce.com/services/oauth2/register", 
"introspection_endpoint": "https://login.salesforce.com/services/oauth2/introspect", 
"scopes_supported":["id","api","web","full","chatter_api",
"visualforce","refresh_token","openid","profile","email",
"address","phone","offline_access", "custom_permissions",
"wave_api", "eclair_api"],  
"response_types_supported":["code","token","token id_token"],  
"subject_types_supported":["public"],  
"id_token_signing_alg_values_supported":["RS256"],  
"display_values_supported":["page","popup","touch"], 
"token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic",
"private_key_jwt"] 
"claims_supported": ["active","address","email","email_verified","family_name",
"given_name","is_app_installed","language","locale","name","nickname",
"organization_id","phone_number","phone_number_verified","photos",
"picture","preferred_username","profile","sub","updated_at","urls","user_id",
"user_type","zoneinfo"], }                
             
            Loading
            Salesforce Help | Article