• Okta Integration Guide for PTT Pro
Accessing the Well-Known URL
Accessing the Well-Known URL

Accessing the Well-Known URL

Use the Okta domain and the client ID to create the well-known URL.
A well-known URL uses the following structure:
https://<domain>/.well-known/openid-configuration?client_id=<client-id>
In this example, the well-known URL becomes:
https://dev-84941762.okta.com/.well-known/openid-configuration?client_id=0oa5km1v306LXN57y5d7
  • The domain is
    dev-84941762.okta.com
    .
  • The Client ID,
    0oa5km1v306LXN57y5d7
    , was generated when you created the Native App.
Native App with Client ID
The client ID is highlighted in this screenshot.
Entering the well-known URL in a web browser returns a response in a JSON file format. The JSON response includes information required for the ACS configuration:
  • Authorization endpoint
  • Token endpoint
  • The supported encrypting format
{
"issuer": "https://dev-84941762.okta.com",
"authorization_endpoint": "https://dev-84941762.okta.com/oauth2/v1/authorize",
"token_endpoint": "https://dev-84941762.okta.com/oauth2/v1/token",
"userinfo_endpoint": "https://dev-84941762.okta.com/oauth2/v1/userinfo",
"registration_endpoint": "https://dev-84941762.okta.com/oauth2/v1/clients/0oa5km1v306LXN57y5d7",
"jwks_uri": "https://dev-84941762.okta.com/oauth2/v1/keys?client_id=0oa5km1v306LXN57y5d7",
"response_types_supported": [
"code"
],
"response_modes_supported": [
"query",
"fragment",
"form_post",
"okta_post_message"
],
"grant_types_supported": [
"authorization_code",
"refresh_token",
"password",
"urn:ietf:params:oauth:grant-type:token-exchange"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile",
"address",
"phone",
"offline_access"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic"
],
"claims_supported": [
"iss",
"ver",
"sub",
"aud",
"iat",
"exp",
"jti",
"auth_time",
"amr",
"idp",
"nonce",
"name",
"nickname",
"preferred_username",
"given_name",
"middle_name",
"family_name",
"email",
"email_verified",
"profile",
"zoneinfo",
"locale",
"address",
"phone_number",
"picture",
"website",
"gender",
"birthdate",
"updated_at",
"at_hash",
"c_hash"
],
"code_challenge_methods_supported": [
"S256"
],
"introspection_endpoint": "https://dev-84941762.okta.com/oauth2/v1/introspect",
"introspection_endpoint_auth_methods_supported": [
"client_secret_basic"
],
"revocation_endpoint": "https://dev-84941762.okta.com/oauth2/v1/revoke",
"revocation_endpoint_auth_methods_supported": [
"client_secret_basic"
],
"end_session_endpoint": "https://dev-84941762.okta.com/oauth2/v1/logout",
"request_parameter_supported": true,
"request_object_signing_alg_values_supported": [
"HS256",
"HS384",
"HS512"
],
"device_authorization_endpoint": "https://dev-84941762.okta.com/oauth2/v1/device/authorize",
"pushed_authorization_request_endpoint": "https://dev-84941762.okta.com/oauth2/v1/par"
}
The authorization and token URLs are shown in the response from the well-known URL. If the Okta system uses a Federation Broker, modify the authorization and token URLs.
The original URLs from the JSON response:
  • "authorization_endpoint": "https://dev-84941762.okta.com/oauth2/v1/authorize"
  • "token_endpoint": "https://dev-84941762.okta.com/oauth2/v1/token"
Modify the URLs to include the Authorization Server:
  • "authorization_endpoint": "https://dev-84941762.okta.com/oauth2/
    <server_name>
    /v1/authorize"
  • "token_endpoint": "https://dev-84941762.okta.com/oauth2/
    <server_name>
    /v1/token"