This article provides the structure and location for finding the OpenID Connect Well-Known URL, also known as the OpenID Connect metadata document URL. This URL is necessary when configuring applications (for example, 1Password) or Identity Providers (IdPs) that use OpenID Connect (OIDC) for authentication.

• OpenID Connect (OIDC)
• Org Authorization Server
• Custom Authorization Server

Prerequisites:

• The Custom Authorization Server's ID (if applicable) 
  • This is a unique identifier (for example, aus9o8wzkhckw9TLa0h7z) and is available in the Okta Admin Console under Security > API > Authorization Servers.
• The Okta domain (for example, example.okta.com or example.oktapreview.com)

To find the Okta Well-Known URL, identify whether an Org Authorization Server or a Custom Authorization Server is in use.

• If using an Org Authorization Server
  • Use the following format, replacing <OKTA_DOMAIN> with the desired Okta domain:

    https://<OKTA_DOMAIN>/.well-known/openid-configuration

• If using a Custom Authorization Server
  • Use the following format, replacing <OKTA_DOMAIN> with the desired Okta domain and <AUTHORIZATION_SERVER_ID> with the custom authorization server's ID:

    https://<OKTA_DOMAIN>/oauth2/<AUTHORIZATION_SERVER_ID>/.well-known/openid-configuration

  • NOTE: If using the 'default' Custom Authorization Server, it is often designated by the ID "default": 

    https://<OKTA_DOMAIN>/oauth2/default/.well-known/openid-configuration

Related References

• Retrieve the OpenID Connect metadata (Org Authorization Server)
• Retrieve the OpenID Connect metadata (Custom Authorization Server)
• Okta Developer Documentation - Authorization Servers Concepts 
• Okta Developer Documentation - OpenID Connect & OAuth 2.0 API
• Okta Developer Documentation - Find your Okta domain