SPIRE

SPIRE OIDC Discovery API

SPIRE includes an OIDC Discovery Provider that serves an OpenID Connect discovery document and JSON Web Key Set (JWKS) endpoint, enabling workloads to present JWT-SVIDs to systems that support standard OIDC token validation. This allows SPIRE-issued identities to be used with cloud provider IAM systems such as AWS, GCP, and Azure.

GitHub OpenAPI

Documentation

📖
Documentation
https://spiffe.io/docs/latest/keyless/oidc-federation-aws/

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/spire/refs/heads/main/openapi/spire-oidc-discovery-openapi.yml

SDKs

📦
GitHubRepository
https://github.com/spiffe/spire/tree/main/support/oidc-discovery-provider

Schemas & Data

📊
JSONStructure
https://raw.githubusercontent.com/api-evangelist/spire/refs/heads/main/json-structure/spire-svid-structure.json

OpenAPI Specification

spire-oidc-discovery-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: SPIRE OIDC Discovery Provider API
  description: >-
    The SPIRE OIDC Discovery Provider is a helper component that exposes a minimal
    OpenID Connect discovery document and JSON Web Key Set (JWKS) endpoint. This
    allows workloads to present JWT-SVIDs issued by SPIRE to systems that support
    standard OIDC token validation, including cloud provider IAM systems such as
    AWS, GCP, and Azure. The provider derives its key material from the SPIRE
    Server or Agent trust bundle and serves it over HTTPS.
  version: '1.0'
  contact:
    name: SPIFFE Community
    url: https://spiffe.io/community/
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
externalDocs:
  description: SPIRE OIDC Discovery Provider Documentation
  url: https://github.com/spiffe/spire/tree/main/support/oidc-discovery-provider
servers:
  - url: https://{domain}
    description: SPIRE OIDC Discovery Provider
    variables:
      domain:
        default: oidc-discovery.example.com
        description: >-
          The domain name configured for the OIDC discovery provider instance.
tags:
  - name: Discovery
    description: >-
      OpenID Connect discovery document endpoint that describes the OIDC
      provider configuration and supported capabilities.
  - name: Keys
    description: >-
      JSON Web Key Set endpoint that exposes public keys used to verify
      JWT-SVIDs issued by SPIRE.
paths:
  /.well-known/openid-configuration:
    get:
      operationId: getOpenIDConfiguration
      summary: SPIRE Get OpenID Connect discovery document
      description: >-
        Returns the OpenID Connect discovery document describing the OIDC
        provider's configuration. The document includes the issuer URL, JWKS
        URI, supported response types, subject types, and supported signing
        algorithms. This endpoint is used by OIDC-compatible systems to
        auto-configure themselves to validate JWT-SVIDs issued by SPIRE.
        The path prefix can be customized via the server_path_prefix option.
      tags:
        - Discovery
      responses:
        '200':
          description: OpenID Connect discovery document
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OpenIDConfiguration'
  /keys:
    get:
      operationId: getJWKS
      summary: SPIRE Get JSON Web Key Set
      description: >-
        Returns the JSON Web Key Set (JWKS) containing the public keys used
        to verify JWT-SVIDs issued by SPIRE. The keys are derived from the
        SPIRE trust bundle and are automatically rotated as SPIRE rotates its
        signing keys. Consumers must re-fetch this endpoint periodically to
        stay current with key rotations. Supported signing algorithms include
        RS256, ES256, and ES384.
      tags:
        - Keys
      responses:
        '200':
          description: JSON Web Key Set containing public verification keys
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/JWKS'
components:
  schemas:
    OpenIDConfiguration:
      type: object
      description: >-
        OpenID Connect discovery document returned by the /.well-known/openid-configuration
        endpoint. Describes the OIDC provider's issuer, key location, and supported
        capabilities for JWT validation.
      required:
        - issuer
        - jwks_uri
        - authorization_endpoint
        - response_types_supported
        - subject_types_supported
        - id_token_signing_alg_values_supported
      properties:
        issuer:
          type: string
          format: uri
          description: >-
            The HTTPS URL identifying the OIDC provider. This must match the
            issuer claim in JWT-SVIDs issued by SPIRE and corresponds to the
            trust domain's SPIFFE ID base URL.
          example: https://oidc-discovery.example.com
        jwks_uri:
          type: string
          format: uri
          description: >-
            URL of the JSON Web Key Set document containing public keys for
            verifying JWT signatures. Typically the /keys endpoint on the
            same host.
          example: https://oidc-discovery.example.com/keys
        authorization_endpoint:
          type: string
          format: uri
          description: >-
            URL of the authorization endpoint. SPIRE's OIDC provider does not
            perform interactive authorization flows; this field is present for
            OIDC spec compliance but is not functional.
          example: https://oidc-discovery.example.com/authorize
        response_types_supported:
          type: array
          description: >-
            List of OAuth 2.0 response type values that this authorization
            server supports. SPIRE supports the id_token response type.
          items:
            type: string
            enum:
              - id_token
        subject_types_supported:
          type: array
          description: >-
            List of subject identifier types supported. SPIRE uses the public
            subject type.
          items:
            type: string
            enum:
              - public
        id_token_signing_alg_values_supported:
          type: array
          description: >-
            List of JWS signing algorithms supported for JWT-SVID signing.
            SPIRE supports RS256, ES256, and ES384.
          items:
            type: string
            enum:
              - RS256
              - ES256
              - ES384
    JWKS:
      type: object
      description: >-
        JSON Web Key Set document containing the public keys used to verify
        JWT-SVIDs issued by SPIRE. The keys correspond to the trust bundle
        JWT authorities for the SPIRE trust domain.
      required:
        - keys
      properties:
        keys:
          type: array
          description: >-
            Array of JSON Web Key objects representing the public keys in
            the SPIRE trust bundle. Each key corresponds to a JWT authority
            in the trust domain's bundle.
          items:
            $ref: '#/components/schemas/JWK'
    JWK:
      type: object
      description: >-
        A single JSON Web Key representing a public key used for JWT-SVID
        signature verification.
      required:
        - kty
        - use
        - kid
      properties:
        kty:
          type: string
          description: >-
            Key type. RSA for RS256 keys, EC for elliptic curve keys used
            with ES256 and ES384.
          enum:
            - RSA
            - EC
        use:
          type: string
          description: >-
            Intended use of the key. Always sig (signature verification) for
            SPIRE JWT authority keys.
          enum:
            - sig
        kid:
          type: string
          description: >-
            Key identifier uniquely identifying this key within the JWKS.
            Used to match the kid header in JWT-SVIDs to the correct
            verification key.
          example: abc123def456
        alg:
          type: string
          description: >-
            Algorithm intended for use with this key, such as RS256, ES256,
            or ES384.
          enum:
            - RS256
            - ES256
            - ES384
        n:
          type: string
          description: >-
            RSA modulus value (Base64urlUInt-encoded). Present only for RSA
            keys (kty: RSA).
        e:
          type: string
          description: >-
            RSA public exponent value (Base64urlUInt-encoded). Present only
            for RSA keys (kty: RSA).
          example: AQAB
        crv:
          type: string
          description: >-
            Elliptic curve name. Present only for EC keys (kty: EC).
          enum:
            - P-256
            - P-384
        x:
          type: string
          description: >-
            Elliptic curve x-coordinate (Base64urlUInt-encoded). Present
            only for EC keys (kty: EC).
        y:
          type: string
          description: >-
            Elliptic curve y-coordinate (Base64urlUInt-encoded). Present
            only for EC keys (kty: EC).