Modify openid-connect metadata visibility
Hiding Fields from OpenID Connect Metadata in Janssen Server
In OpenID Connect, the .well-known/openid-configuration
endpoint serves as the discovery document. It lists important configuration metadata such as available endpoints, supported scopes, claims, signing algorithms, and more.
In some scenarios, it is best practice to hide certain metadata fields:
- To avoid exposing unused or deprecated endpoints.
- To minimize security risks by not publicly showing sensitive internal mappings or settings.
- To comply with regulatory or architectural requirements.
To support this use case, Janssen Server provides a built-in mechanism via the discoveryDenyKeys
property.
1. Why Hide Metadata Fields?
OpenID Connect discovery documents may contain a wide range of properties. Not all of these are useful to clients, and some may reveal internal architecture or unused experimental features.
By hiding unused or sensitive metadata:
- You reduce the attack surface.
- Prevent confusion for developers and integrators.
- Align your metadata with actual use cases.
2. What is discoveryDenyKeys
?
discoveryDenyKeys
is a configurable property in Janssen Server that lets you specify which metadata fields should be removed from the OpenID Provider Metadata (.well-known/openid-configuration
).
This value is an array of strings, each representing a key in the discovery document.
Example Value
[
"id_generation_endpoint",
"auth_level_mapping",
"scope_to_claims_mapping",
"op_policy_uri",
"access_token_signing_alg_values_supported"
]
3. How to Configure It Using TUI
Follow these steps:
a. Access the Janssen TUI
./jans_cli_tui.py
b. Navigate to Properties Section
Go to:
Auth Server > Properties
c. Search for discoveryDenyKeys
In the list of properties, search for:
discoveryDenyKeys
Edit the value to include the keys you want to hide.
d. Save Changes and Exit
Save the updated property settings and exit the TUI.
4. Apply Changes by Restarting the Auth Server
Finally, restart the jans-auth
service to apply the changes:
systemctl restart jans-auth
After the restart, revisit your discovery endpoint:
https://<your-domain>/.well-known/openid-configuration
You will see that the specified keys are now removed from the response.
📝 Notes
- Do not hide fields that your clients or applications rely on.
- Always verify functionality after applying changes.