Articles in this section
Category / Section

Modify openid-connect metadata visibility

Published:
2 mins read

Hiding Fields from OpenID Connect Metadata in Janssen Server

In OpenID Connect, the .well-known/openid-configuration endpoint serves as the discovery document. It lists important configuration metadata such as available endpoints, supported scopes, claims, signing algorithms, and more.

In some scenarios, it is best practice to hide certain metadata fields:

  1. To avoid exposing unused or deprecated endpoints.
  2. To minimize security risks by not publicly showing sensitive internal mappings or settings.
  3. To comply with regulatory or architectural requirements.

To support this use case, Janssen Server provides a built-in mechanism via the discoveryDenyKeys property.


1. Why Hide Metadata Fields?

OpenID Connect discovery documents may contain a wide range of properties. Not all of these are useful to clients, and some may reveal internal architecture or unused experimental features.

By hiding unused or sensitive metadata:

  • You reduce the attack surface.
  • Prevent confusion for developers and integrators.
  • Align your metadata with actual use cases.

2. What is discoveryDenyKeys?

discoveryDenyKeys is a configurable property in Janssen Server that lets you specify which metadata fields should be removed from the OpenID Provider Metadata (.well-known/openid-configuration).

This value is an array of strings, each representing a key in the discovery document.

Example Value

[
  "id_generation_endpoint",
  "auth_level_mapping",
  "scope_to_claims_mapping",
  "op_policy_uri",
  "access_token_signing_alg_values_supported"
]

3. How to Configure It Using TUI

Follow these steps:

a. Access the Janssen TUI

./jans_cli_tui.py

b. Navigate to Properties Section

Go to:

Auth Server > Properties

c. Search for discoveryDenyKeys

In the list of properties, search for:

discoveryDenyKeys

Edit the value to include the keys you want to hide.

d. Save Changes and Exit

Save the updated property settings and exit the TUI.


4. Apply Changes by Restarting the Auth Server

Finally, restart the jans-auth service to apply the changes:

systemctl restart jans-auth

After the restart, revisit your discovery endpoint:

https://<your-domain>/.well-known/openid-configuration

You will see that the specified keys are now removed from the response.


📝 Notes

  • Do not hide fields that your clients or applications rely on.
  • Always verify functionality after applying changes.
Was this article useful?
Like
Dislike
Help us improve this page
Please provide feedback or comments
Access denied
Access denied