OIDC .well-known/openid-configuration missing required property for Microsoft Entra CIAM

Abi_Abib_Emile_Petrus · October 15, 2025, 5:41pm

Hello,

I’m trying to register my authentication service, which uses TMS Sphinx, as a Custom OpenID Connect (OIDC) provider inside Microsoft Entra External ID (CIAM).

During the validation of the discovery endpoint (/.well-known/openid-configuration), Microsoft returns the following error:

Custom OIDC well-known endpoint validation error:
Error when deserializing response
Required property 'token_endpoint_auth_methods_supported' not found in JSON.
Path '', line 10, position 1.

When inspecting the discovery response generated by Sphinx, I confirmed that the field token_endpoint_auth_methods_supported is indeed missing.
The current JSON looks like this:

{
  "issuer": "https://url.com",
  "authorization_endpoint": "https://url.com/oauth/authorize",
  "token_endpoint": "https://url.com/oauth/token",
  "response_types_supported": ["code", "id_token", "id_token token"]
}

According to RFC 8414 (OAuth 2.0 Authorization Server Metadata), the field token_endpoint_auth_methods_supported is optional and defaults to client_secret_basic.
However, Microsoft Entra External ID strictly requires this field to be present in the discovery document, otherwise the provider registration fails.

Upon reviewing the unit Sphinx.DiscoveryService.Impl, I noticed that the method TOidcDiscoveryService.GetMetadata creates an instance of TOidcProviderMetadata, but this class does not define or populate the mentioned property.

Relevant code snippet:

Result := TOidcProviderMetadata.Create;
Result.Issuer := Handler.Context.RequiredItem<IIssuerProvider>.GetIssuer;
Result.AuthorizationEndpoint := Handler.AbsoluteUrl('oauth/authorize', True);
Result.TokenEndpoint := Handler.AbsoluteUrl('oauth/token', True);
Result.ResponseTypesSupported := TArray<string>.Create(ResponseTypes.Code, ResponseTypes.IdToken, ResponseTypes.IdTokenToken);

I would like to confirm whether there is an official or recommended way to include additional metadata fields in the discovery document — specifically token_endpoint_auth_methods_supported — without needing to completely override the default TOidcDiscoveryService implementation.

This limitation currently prevents direct integration of TMS Sphinx with external identity providers that strictly validate OIDC discovery metadata, such as Microsoft Entra ID (CIAM).

Thank you for your attention

wlandgraf · October 15, 2025, 9:49pm

No, the discovery document was not build to be easily extensible - it doesn't make much to put effort on it for that, since it's a standard specification and, as you said, token_endpoint_auth_methods_supported is optional.

We can add it in a future release, but until there, indeed, you will have to either override the implementation or modify Sphinx source code to add it there.

wlandgraf · October 15, 2025, 10:31pm

It would be interesting if you can add it yourself and check if Microsoft Entra is requiring yet another optional field, so we can add those as well.

Topic		Replies	Views
Extend /.well-known/openid-configuration details TMS Sphinx	1	27	October 22, 2024
Missing required parameter: AuthorizationEndpoint TMS Sphinx	7	150	July 18, 2024
implicit authorization flow TMS Sphinx	11	274	November 3, 2023
Is there a solution for Microsoft Entra OAuth2? TMS Sphinx	2	43	February 19, 2026
Sphinx - Extend /.well-known/openid-configuration details BIZ Feature Requests sphinx	0	10	October 22, 2024

OIDC .well-known/openid-configuration missing required property for Microsoft Entra CIAM

Related topics