Lint OIDC config
Static analysis for OIDC provider configuration — algorithms, HTTPS, JWKS reachability, redirect URIs.
POST /v1/lint/oidc-config Static analysis for OIDC provider configuration — algorithms, HTTPS, JWKS reachability, redirect URIs.
Inspects an OIDC provider configuration without exercising it: weak algorithms in the allowlist, non-HTTPS URIs, JWKS reachability, mismatch between configured jwks_uri and the discovered value. Useful as a pre-deploy gate.
Request
| Field | Type | Required | Description |
|---|---|---|---|
| issuer | string (URL) | yes | OIDC issuer URL. |
| client_id | string | yes | OAuth client ID. |
| audiences | string[] | yes | Expected aud values. |
| jwks_uri | string (URL) | yes | Configured JWKS endpoint. |
| redirect_uris | string[] (URL) | yes | Allowed OAuth redirect URIs. |
| alg_policy | object | yes | Algorithm policy. Required field alg_policy.allowed_algs: string[]. |
| discovered_jwks_uri | string (URL) | no | JWKS URI returned by /v1/providers/discover. When supplied, the linter checks jwks_uri == discovered_jwks_uri. |
| https_required | boolean | default true | When true, every URI in the request must use https://. |
Response — 200
| Field | Type | Required | Description |
|---|---|---|---|
| valid | boolean | yes | true when no findings of severity error were emitted. |
| findings | Finding[] | yes | Configuration issues. code, severity, message, evidence?, remediation. |
| summary | string | yes | One-sentence outcome. |
200 non-HTTPS redirect URI flagged with remediation
{
"valid": false,
"findings": [
{
"code": "INSECURE_URI",
"severity": "error",
"message": "Redirect URI uses http:// while https_required is true.",
"evidence": {
"uri": "http://app.acme.com/cb"
},
"remediation": "Switch http://app.acme.com/cb to https://, or set https_required=false (not recommended outside development)."
}
],
"summary": "OIDC configuration has 1 error."
}Errors
| Channel | Code | Cause |
|---|---|---|
| 200, in findings | WEAK_ALGORITHM | An algorithm weaker than RS256/ES256/EdDSA appears in the allowlist. |
| 200, in findings | JWKS_UNREACHABLE | The configured JWKS endpoint did not respond. |
| 200, in findings | INSECURE_URI | A non-HTTPS URI is present and https_required is true. |
| 200, in findings | JWKS_URI_MISMATCH | jwks_uri does not match discovered_jwks_uri. |
| 422 | — | Request body missing a required field. |
Example
curl -sSf -X POST "$JWTSHIELD_URL/v1/lint/oidc-config" \
-H "Authorization: Bearer $JWTSHIELD_KEY" \
-H "Content-Type: application/json" \
-d '{
"issuer": "https://acme.auth0.com/",
"client_id": "abc123",
"audiences": ["api://acme-backend"],
"jwks_uri": "https://acme.auth0.com/.well-known/jwks.json",
"redirect_uris": ["https://app.acme.com/cb"],
"alg_policy": { "allowed_algs": ["RS256"] },
"https_required": true
}'