OIDC Discovery Inspector
Inspect pasted provider metadata and isolate issuer, endpoint, JWKS, algorithm, or PKCE mismatches
Optional exact and capability checks
Expected issuer and endpoint comparisons are exact. Capability checks look for the entered value in the advertised list.
Start with the exact issuer, authorization_endpoint, token_endpoint, and jwks_uri expected by the same tenant and environment. Then check response types, grants, signing algorithms, token endpoint authentication, and PKCE methods that matter to your client.
OIDC provider configuration defines identity-specific fields such as subject types and ID token signing algorithms. OAuth authorization server metadata has its own required, conditional, and optional fields. Auto detection uses OIDC-specific members; choose a type explicitly when you want to inspect a sparse document under one rule set.
Missing code_challenge_methods_supported means PKCE is not advertised by this document; it does not prove the server rejects PKCE. The inspector also distinguishes omitted fields with documented defaults from fields that are required for the selected metadata type.
Does this page open the discovery URL?
No. Paste the JSON document itself. The inspector does not make requests to the issuer, endpoints, jwks_uri, or any other value found in the document.
Why can an issuer mismatch break verification?
Clients compare the configured issuer with metadata and token claims according to their protocol and library rules. A trailing slash, tenant path, case, or environment difference can therefore matter even when the URLs look related.
Does a clean inspection mean the provider is secure?
No. It means the pasted document produced no inspected mismatch or warning under the selected checks. Reachability, key contents, cryptographic verification, server behavior, and deployment policy remain separate.