HA OIDC 404 / unexpected content-type

Support General Questions
1

Running the latest April 15th Ziti binaries (1.6) HA with 2 controllers at the moment. Client is ZDEW latest 2.6.5 and I am using ext-jwt-auth to an external provider (https://oidc-test.example.internal)

I am observing 404s in my logs during token refresh. Seemingly not usually causing traffic loss during every 404, however I am indeed troubleshooting some intermittent connectivity issues and I am not sure if these 404s are an issue, or if they are a red herring and this is expected. Any insight is appreciated..

Example snippet:

[2025-04-17T17:29:23.800Z]   DEBUG ziti-sdk:oidc.c:927 oidc_client_set_tokens() using access_token={"aud":["3ecb9d18-d4a7-4697-a1f8-4e308cb6a1ed"],"exp":1744914562,"iat":1744910962,"iss":"https://oidc-test.example.internal","sub":"5e27f747-73e8-4bde-a0a8-58f954c027cf","type":"oauth-access-token"}
[2025-04-17T17:29:23.800Z]   DEBUG ziti-sdk:external_auth.c:94 ext_token_cb() received access token: eyJhbGciOiJSUzI1NiIs...
[2025-04-17T17:29:23.800Z]   DEBUG ziti-sdk:oidc.c:938 oidc_client_set_tokens() scheduling token refresh in 3600 seconds
[2025-04-17T17:29:23.853Z]   ERROR ziti-sdk:oidc.c:198 parse_cb() unexpected content-type[.well-known/openid-configuration]: text/plain; charset=utf-8
[2025-04-17T17:29:23.853Z]   ERROR ziti-sdk:ha_auth.c:145 config_cb() failed to configure OIDC[https://ctrl1.testing.internal:443/oidc] client: -4071/(null)
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:171 handle_unexpected_resp() unexpected OIDC response
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:172 handle_unexpected_resp() 1.1 404 Not Found
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() transfer-encoding: chunked
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() Date: Thu, 17 Apr 2025 17:29:23 GMT
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() X-Content-Type-Options: nosniff
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() Content-Type: text/plain; charset=utf-8
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() Content-Encoding: gzip
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:164 unhandled_body_cb() 404 page not found
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:166 unhandled_body_cb() status = -4095

Complete logs:

[2025-04-17T17:29:19.995Z]   DEBUG ziti-sdk:oidc.c:973 refresh_time_cb() refreshing OIDC token
[2025-04-17T17:29:20.070Z]   DEBUG ziti-sdk:oidc.c:946 refresh_cb() token refresh success
[2025-04-17T17:29:20.070Z]   DEBUG ziti-sdk:oidc.c:927 oidc_client_set_tokens() using access_token={"aud":["openziti"],"exp":1744912759,"iat":1744910959,"iss":"https://ctrl1.testing.internal:443/oidc","jti":"50d2c5a8-c316-440e-b0c2-54c7bde76a91","nbf":1744910959,"sub":"PJ27lxXJGe","z_aid":"openziti","z_asid":"47df4413-fb08-42ac-9b91-08703f813587","z_authid":"extJwtId:1ukzvj1YizqOzgTZfYEHNw","z_cfs":null,"z_eid":"5e27f747-73e8-4bde-a0a8-58f954c027cf","z_env":{},"z_ice":false,"z_ra":"208.118.129.23:23529","z_sdk":{},"z_t":"a"}
[2025-04-17T17:29:20.070Z]   DEBUG ziti-sdk:ziti.c:379 ziti_set_fully_authenticated() ztx[0] setting auth_state[3] to 3
[2025-04-17T17:29:20.070Z]   DEBUG ziti-sdk:ziti_ctrl.c:1090 ctrl_paging_req() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] starting paging request GET[/controllers]
[2025-04-17T17:29:20.070Z]   DEBUG ziti-sdk:ziti_ctrl.c:1090 ctrl_paging_req() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] starting paging request GET[/controllers]
[2025-04-17T17:29:20.070Z]   DEBUG ziti-sdk:channel.c:328 ziti_channel_update_token() ch[3] sending token update
[2025-04-17T17:29:20.070Z]   DEBUG ziti-sdk:channel.c:328 ziti_channel_update_token() ch[2] sending token update
[2025-04-17T17:29:20.070Z]   DEBUG ziti-sdk:channel.c:328 ziti_channel_update_token() ch[1] sending token update
[2025-04-17T17:29:20.070Z]   DEBUG ziti-sdk:channel.c:328 ziti_channel_update_token() ch[0] sending token update
[2025-04-17T17:29:20.070Z]   DEBUG ziti-sdk:oidc.c:938 oidc_client_set_tokens() scheduling token refresh in 1799 seconds
[2025-04-17T17:29:20.070Z]   DEBUG ziti-sdk:ziti_ctrl.c:1090 ctrl_paging_req() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] starting paging request GET[/current-identity/edge-routers]
[2025-04-17T17:29:20.070Z]   DEBUG ziti-sdk:ziti_ctrl.c:1090 ctrl_paging_req() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] starting paging request GET[/controllers]
[2025-04-17T17:29:20.071Z]   DEBUG ziti-sdk:posture.c:210 ziti_send_posture_data() ztx[0] posture checks must_send set to TRUE, new_session_id[TRUE], must_send_every_time[TRUE], new_controller_instance[FALSE]
[2025-04-17T17:29:20.081Z]   DEBUG ziti-sdk:channel.c:307 token_update_cb() ch[2] token update success
[2025-04-17T17:29:20.085Z]   DEBUG ziti-sdk:channel.c:307 token_update_cb() ch[3] token update success
[2025-04-17T17:29:20.085Z]   DEBUG ziti-sdk:channel.c:307 token_update_cb() ch[1] token update success
[2025-04-17T17:29:20.128Z]   DEBUG ziti-sdk:ziti_ctrl.c:485 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] received 2/2 for paging request GET[/controllers]
[2025-04-17T17:29:20.128Z]   DEBUG ziti-sdk:ziti_ctrl.c:495 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] completed paging request GET[/controllers] in 0.058 s
[2025-04-17T17:29:20.145Z]   DEBUG ziti-sdk:ziti_ctrl.c:485 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] received 2/2 for paging request GET[/controllers]
[2025-04-17T17:29:20.145Z]   DEBUG ziti-sdk:ziti_ctrl.c:495 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] completed paging request GET[/controllers] in 0.074 s
[2025-04-17T17:29:20.145Z]    INFO ziti-sdk:ziti.c:349 ctrl_list_cb() ztx[0] controller[ctrl1/ctrl1] url[https://ctrl1.testing.internal:443/edge/client/v1]
[2025-04-17T17:29:20.145Z]    INFO ziti-sdk:ziti.c:349 ctrl_list_cb() ztx[0] controller[ctrl3/ctrl3] url[https://ctrl3.testing.internal:443/edge/client/v1]
[2025-04-17T17:29:20.149Z]   DEBUG ziti-sdk:channel.c:307 token_update_cb() ch[0] token update success
[2025-04-17T17:29:20.177Z]   DEBUG ziti-sdk:ziti_ctrl.c:500 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] completed GET[/current-identity] in 0.106 s
[2025-04-17T17:29:20.193Z]   DEBUG ziti-sdk:ziti_ctrl.c:500 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] completed GET[/current-identity] in 0.122 s
[2025-04-17T17:29:20.209Z]   DEBUG ziti-sdk:ziti_ctrl.c:485 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] received 4/4 for paging request GET[/current-identity/edge-routers]
[2025-04-17T17:29:20.209Z]   DEBUG ziti-sdk:ziti_ctrl.c:495 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] completed paging request GET[/current-identity/edge-routers] in 0.139 s
[2025-04-17T17:29:20.226Z]   DEBUG ziti-sdk:ziti_ctrl.c:485 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] received 2/2 for paging request GET[/controllers]
[2025-04-17T17:29:20.226Z]   DEBUG ziti-sdk:ziti_ctrl.c:495 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] completed paging request GET[/controllers] in 0.156 s
[2025-04-17T17:29:20.242Z]   DEBUG ziti-sdk:ziti_ctrl.c:500 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] completed GET[/current-api-session/service-updates] in 0.172 s
[2025-04-17T17:29:20.242Z]   DEBUG ziti-sdk:ziti_ctrl.c:1090 ctrl_paging_req() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] starting paging request GET[/services?configTypes=all]
[2025-04-17T17:29:20.257Z]   DEBUG ziti-sdk:ziti_ctrl.c:485 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] received 1/1 for paging request GET[/services?configTypes=all]
[2025-04-17T17:29:20.257Z]   DEBUG ziti-sdk:ziti_ctrl.c:495 ctrl_body_cb() ctrl[https://ctrl1.testing.internal:443/edge/client/v1] completed paging request GET[/services?configTypes=all] in 0.015 s
[2025-04-17T17:29:23.417Z]   DEBUG ziti-edge-tunnel:ipc_cmd.c:264 on_cmd() received cmd <{"Command":"Status"}
>
[2025-04-17T17:29:23.418Z]   DEBUG ziti-edge-tunnel:ipc_cmd.c:114 on_cmd_write() IPC write complete
[2025-04-17T17:29:23.694Z]   DEBUG ziti-sdk:oidc.c:973 refresh_time_cb() refreshing OIDC token
[2025-04-17T17:29:23.800Z]   DEBUG ziti-sdk:oidc.c:946 refresh_cb() token refresh success
[2025-04-17T17:29:23.800Z]   DEBUG ziti-sdk:oidc.c:927 oidc_client_set_tokens() using access_token={"aud":["3ecb9d18-d4a7-4697-a1f8-4e308cb6a1ed"],"exp":1744914562,"iat":1744910962,"iss":"https://oidc-test.example.internal","sub":"5e27f747-73e8-4bde-a0a8-58f954c027cf","type":"oauth-access-token"}
[2025-04-17T17:29:23.800Z]   DEBUG ziti-sdk:external_auth.c:94 ext_token_cb() received access token: eyJhbGciOiJSUzI1NiIs...
[2025-04-17T17:29:23.800Z]   DEBUG ziti-sdk:oidc.c:938 oidc_client_set_tokens() scheduling token refresh in 3600 seconds
[2025-04-17T17:29:23.853Z]   ERROR ziti-sdk:oidc.c:198 parse_cb() unexpected content-type[.well-known/openid-configuration]: text/plain; charset=utf-8
[2025-04-17T17:29:23.853Z]   ERROR ziti-sdk:ha_auth.c:145 config_cb() failed to configure OIDC[https://ctrl1.testing.internal:443/oidc] client: -4071/(null)
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:171 handle_unexpected_resp() unexpected OIDC response
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:172 handle_unexpected_resp() 1.1 404 Not Found
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() transfer-encoding: chunked
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() Date: Thu, 17 Apr 2025 17:29:23 GMT
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() X-Content-Type-Options: nosniff
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() Content-Type: text/plain; charset=utf-8
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() Content-Encoding: gzip
[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:164 unhandled_body_cb() 404 page not found

[2025-04-17T17:29:23.853Z]    WARN ziti-sdk:oidc.c:166 unhandled_body_cb() status = -4095

[2025-04-17T17:29:28.422Z]   DEBUG ziti-edge-tunnel:ipc_cmd.c:264 on_cmd() received cmd <{"Command":"Status"}
>
[2025-04-17T17:29:28.422Z]   DEBUG ziti-edge-tunnel:ipc_cmd.c:114 on_cmd_write() IPC write complete
2

Hi @blup66, that definitely seems odd to me. I've been running an identity all day while working that allows me to connect to our chat server (mattermost) and I'm using an ext-jwt/OIDC.

I don't have the same sort of responses. I have seen this sort of situation when the external auth url was incorrect in the controller (among other 'misconfiguration' type of things). However if you had it misconfigured, I wouldn't expect it to work at all.

You state you're running with 2 controllers. That may perhaps be related I suppose but it's hard to know.

I don't know how to reproduce the problem locally to be able to test. :confused: I'll point this out to @ekoby and see if he sees anything in these logs.

3

Thanks @TheLumberjack !

However if you had it misconfigured, I wouldn't expect it to work at all.

I'm thinking the same. Initial login is all good!

I stumbled upon the following recently closed PR which I thought was interesting and possibly relevant: OIDC JWT backed sessions cannot verify extended certs · Issue #2999 · openziti/ziti · GitHub - I'm not sure if this 'fix' exists in the version I am running

Also, I'm not sure if this is relevant but browsing to my controllers /oidc/ (with the trailing slash) returns an error 404 in my browser. Browsing to /oidc without the trailing slash redirects back to the root fqdn with the expected json there. This seems to be slightly different behavior when compared to other bindings. For example, browsing to /edge/client/v1/ and /edge/client/v1 both return expected json

4

I accidentally pasted the wrong link (though still interesting). 404 not found on well-known OIDC configuration with default ports/localhost · Issue #2674 · openziti/ziti · GitHub is the one I meant to post. I use :443 for all controller ports.

I've also discovered the ziti controller access token iss value in my client logs is showing my https:// fqdn with :443 appended whereas the issuer listed in the well known config JSON does not have the :443 appended - Is this right? I know I'm throwing darts here but seems like I may be getting warmer.. Hopefully at least.

5

Hi @blup66,

Oh that's interesting. I don't think i've deploy on port 443 recently there may be some sort of bug. That might be the problem. The issuer needs to match exactly what's produced in the token. If they are matching, it might not matter. I'll see if I can setup on 443 and see if I can replicate the issue.

6

Hi @TheLumberjack

An update here: Very limited testing, but I think grabbing the latest ziti-edge-tunnel.exe and adding it to ZDEW may have improved some recent sleep/wake related issues I was seeing.. Will report back after some more use!

Interesting: still seeing the same 404 unexpected OIDC response every hour it looks like. As far as I can see this is while trying to hit the Ziti controller, not my external IDP, I think?

I don't have a public cert on my OIDC endpoint. Do I need one? Or only if I want to add Browzer?

I got my third HA controller back up now just before posting this just in case that was related but unfortunately still seeing the same.I'm stumped!

[2025-04-30T07:29:56.951Z] ERROR ziti-sdk:oidc.c:197 parse_cb() unexpected content-type[.well-known/openid-configuration]: text/plain; charset=utf-8
[2025-04-30T07:29:56.951Z] ERROR ziti-sdk:ha_auth.c:145 config_cb() failed to configure OIDC[
https://ctrl1.testing.internal:443/oidc] client: -4071/(null)
[2025-04-30T07:29:56.951Z] WARN ziti-sdk:oidc.c:171 handle_unexpected_resp() unexpected OIDC response
[2025-04-30T07:29:56.951Z] WARN ziti-sdk:oidc.c:172 handle_unexpected_resp() 1.1 404 Not Found
[2025-04-30T07:29:56.951Z] WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() transfer-encoding: chunked
[2025-04-30T07:29:56.951Z] WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() Date: Wed, 30 Apr 2025 07:29:56 GMT
[2025-04-30T07:29:56.951Z] WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() X-Content-Type-Options: nosniff
[2025-04-30T07:29:56.951Z] WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() Content-Type: text/plain; charset=utf-8
[2025-04-30T07:29:56.951Z] WARN ziti-sdk:oidc.c:175 handle_unexpected_resp() Content-Encoding: gzip
[2025-04-30T07:29:56.951Z] WARN ziti-sdk:oidc.c:164 unhandled_body_cb() 404 page not found

[2025-04-30T07:29:56.951Z] WARN ziti-sdk:oidc.c:166 unhandled_body_cb() status = -4095

7

Which OIDC endpoint are you referring to, the one from the controller or you IdP? I assume you mean controller because if the controller can't verify the cert from the jwks endpoint you wouldn't be able to authenticate. The OIDC endpoint from the controller is expected and intended to leverage the trust established when joining the network/adding the identity to the tunneler so altough it's a private PKI cert, it's still a trusted connection.

@ekoby does anything in ths output or this thread ring any bells? Can you have a peek?

8

port 443 seems important
what does your controller return in /version?

9

Hi @ekoby

I'm on the 15-04-25 1.6.0 build from the test repo after seeing this on 1.5.0 initially.

Here is my /version

{
"data": {
"apiVersions": {
"edge": {
"v1": {
"apiBaseUrls": [
"https://ctrl1.testing.internal:443/edge/client/v1"
],
"path": "/edge/client/v1"
}
},
"edge-client": {
"v1": {
"apiBaseUrls": [
"https://ctrl1.testing.internal:443/edge/client/v1"
],
"path": "/edge/client/v1"
}
},
"edge-management": {
"v1": {
"apiBaseUrls": [
"https://ctrl1.testing.internal:443/edge/management/v1"
],
"path": "/edge/management/v1"
}
},
"edge-oidc": {
"v1": {
"apiBaseUrls": [
"https://ctrl1.testing.internal:443"
],
"path": "/oidc"
}
},
"health-checks": {
"v1": {
"apiBaseUrls": [
"https://ctrl1.testing.internal:443"
],
"path": "/health-checks/v1"
}
}
},
"buildDate": "2020-01-01 01:01:01",
"capabilities": [
"OIDC_AUTH",
"HA_CONTROLLER"
],
"revision": "local",
"runtimeVersion": "go1.24.1",
"version": "v0.0.0"
},
"meta": {}
}

10

so controller thinks you're running on port 443, is that the case?

SDK is just trying to do a GET on https://<ctrl-address>:443/oidc/.well-known/openid-configuration

what do you see then you curl/browse to that URL?

Edit: fixed URL typos

11

Yes, running on port 443.

curl -k https://ctrl1.testing.internal:443/oidc/.well-known/openid-configuration
{"issuer":"https://ctrl1.testing.internal/oidc","authorization_endpoint":"https://ctrl1.testing.internal/oidc/authorize","token_endpoint":"https://ctrl1.testing.internal/oidc/oauth/token","introspection_endpoint":"https://ctrl1.testing.internal/oidc/oauth/introspect","userinfo_endpoint":"https://ctrl1.testing.internal/oidc/userinfo","revocation_endpoint":"https://ctrl1.testing.internal/oidc/revoke","end_session_endpoint":"https://ctrl1.testing.internal/oidc/end_session","device_authorization_endpoint":"https://ctrl1.testing.internal/oidc/device_authorization","jwks_uri":"https://ctrl1.testing.internal/oidc/keys","scopes_supported":["openid","profile","email","phone","address","offline_access"],"response_types_supported":["code","id_token","id_token token"],"grant_types_supported":["authorization_code","implicit","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:token-exchange","urn:ietf:params:oauth:grant-type:jwt-bearer","urn:ietf:params:oauth:grant-type:device_code"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"request_object_signing_alg_values_supported":["RS256"],"token_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"revocation_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["RS256"],"introspection_endpoint_auth_methods_supported":["client_secret_basic","private_key_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["sub","aud","exp","iat","iss","auth_time","nonce","acr","amr","c_hash","at_hash","act","scopes","client_id","azp","preferred_username","name","family_name","given_name","locale","email","email_verified","phone_number","phone_number_verified"],"code_challenge_methods_supported":["S256"],"ui_locales_supported":["en"],"request_parameter_supported":true,"request_uri_parameter_supported":false}


curl -k https://ctrl1.testing.internal/oidc/.well-known/openid-configuration
{"issuer":"https://ctrl1.testing.internal/oidc","authorization_endpoint":"https://ctrl1.testing.internal/oidc/authorize","token_endpoint":"https://ctrl1.testing.internal/oidc/oauth/token","introspection_endpoint":"https://ctrl1.testing.internal/oidc/oauth/introspect","userinfo_endpoint":"https://ctrl1.testing.internal/oidc/userinfo","revocation_endpoint":"https://ctrl1.testing.internal/oidc/revoke","end_session_endpoint":"https://ctrl1.testing.internal/oidc/end_session","device_authorization_endpoint":"https://ctrl1.testing.internal/oidc/device_authorization","jwks_uri":"https://ctrl1.testing.internal/oidc/keys","scopes_supported":["openid","profile","email","phone","address","offline_access"],"response_types_supported":["code","id_token","id_token token"],"grant_types_supported":["authorization_code","implicit","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:token-exchange","urn:ietf:params:oauth:grant-type:jwt-bearer","urn:ietf:params:oauth:grant-type:device_code"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"request_object_signing_alg_values_supported":["RS256"],"token_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"revocation_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["RS256"],"introspection_endpoint_auth_methods_supported":["client_secret_basic","private_key_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["sub","aud","exp","iat","iss","auth_time","nonce","acr","amr","c_hash","at_hash","act","scopes","client_id","azp","preferred_username","name","family_name","given_name","locale","email","email_verified","phone_number","phone_number_verified"],"code_challenge_methods_supported":["S256"],"ui_locales_supported":["en"],"request_parameter_supported":true,"request_uri_parameter_supported":false}