Information in .well-known/openid-configuration page is exposed to internet, a security concern?

Question

I am doing a security scan of a client and observed they have implemented OpenID. While reading up I came to know about this URL .well-known/openid-configuration, which has good amount of information(endpoints-{authorize, connect, userinfo, jwks}, scopes etc) exposed to public.

I have 2 questions here:

1. Exposing these info to public is a security concern ? Isn't there any way to make available only to the required user.
2. I am new to OpenID connect, a simple and good article to implement Custom OpenID server.

Answer 1

1. It is pretty standard to expose metadata if needed by the outside world, eg mobile apps. Its main usage is by security libraries in client apps, to look up other endpoints, for authorization and token issuing.

If you don't have internet clients then some providers will allow you to turn the endpoint off, or to only expose it over an internal network. It is usual to avoid exposing more sensitive data such as custom claims and scopes.

2. Rather than implement an OpenID Server it is usual to use a free one based on standards, then focus on integrating UIs and APIs. There is plenty of work there, since OAuth is very architectural.

At Curity we have a full featured free version and the quick way to get started is via the docker tutorial. Then log into the developer portal and download a license file.

After running the install you can browse to these URLs. Then focus on integrating your apps:,

• http://localhost:6749/admin
• http://localhost:8443/oauth/v2/oauth-anonymous/.well-known/openid-configuration

Alternatively choose another provider - and follow the same approach of using large building blocks.