The relying party first needs to determine the Interac Hub API endpoints required to make and receive API requests/responses. These can be obtained by performing an HTTP GET request to the Hub's .well-known/openid-configuration endpoint.

GET /.well-known/openid-configuration HTTP/1.1
Host: hub_server.example.com

The Interac Developer Portal (Hub developer sandbox) has a single well-known endpoint:

<https://gateway-portal.hub-verify.innovation.interac.ca/.well-known/openid-configuration>

The Hub preprod and prod environments are restricted and their well-known endpoints will be provided during partner onboarding.

The following metadata obtained from the well-known endpoint is required for Hub API requests:

REQUIREMENT	KEY	DESCRIPTION
Required	`authorization_endpoint`	The URL to send the HTTP GET request to the Hub to initiate the auth request
Required	`token_endpoint`	The URL to send the HTTP POST request to the Hub to obtain an access token
Required	`userinfo_endpoint`	The URL to send the HTTP GET request to the Hub to obtain the user claims (PII data)
Optional	`pushed_authorization_request_endpoint`	The URL to send the HTTP POST request to the Hub to initiate a PAR request. This is required only if your client is configured for PAR requests and/or the subject matching feature is enabled.
Required	`issuer`	This will be the value of the `iss` field in the RP's signed request object during the auth flow.

Parsing Endpoints: As these endpoints are subject to change, it is good practice to query this .well-known/openid-configuration endpoint periodically to ensure that that the URLs being used are current.

Referenced Standard(s): OpenID 4. Obtaining OpenID Provider Configuration Information

Example Request / Response:

curl https://gateway-devportal2.pp.vids.dev/.well-known/openid-configuration

{
    "authorization_endpoint": "https://gateway-devportal2.pp.vids.dev/auth",
    "backchannel_logout_session_supported": true,
    "backchannel_logout_supported": true,
    "claims_supported": [
        "sub"
    ],
    "code_challenge_methods_supported": [
        "plain",
        "S256"
    ],
    "end_session_endpoint": "https://gateway-devportal2.pp.vids.dev/oauth2/sessions/logout",
    "frontchannel_logout_session_supported": true,
    "frontchannel_logout_supported": true,
    "grant_types_supported": [
        "authorization_code",
        "implicit",
        "client_credentials",
        "refresh_token"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "issuer": "https://gateway-devportal2.pp.vids.dev/",
    "jwks_uri": "https://gateway-devportal2.pp.vids.dev/.well-known/jwks.json",
    "request_object_signing_alg_values_supported": [
        "RS256",
        "none"
    ],
    "request_parameter_supported": true,
    "request_uri_parameter_supported": true,
    "require_request_uri_registration": true,
    "response_modes_supported": [
        "query",
        "fragment"
    ],
    "response_types_supported": [
        "code",
        "code id_token",
        "id_token",
        "token id_token",
        "token",
        "token id_token code"
    ],
    "revocation_endpoint": "https://gateway-devportal2.pp.vids.dev/oauth2/revoke",
    "scopes_supported": [
        "offline_access",
        "offline",
        "openid"
    ],
    "subject_types_supported": [
        "public",
        "pairwise"
    ],
    "token_endpoint": "https://gateway-devportal2.pp.vids.dev/oauth2/token",
    "token_endpoint_auth_methods_supported": [
        "client_secret_post",
        "client_secret_basic",
        "private_key_jwt",
        "none"
    ],
    "userinfo_endpoint": "https://gateway-devportal2.pp.vids.dev/userinfo",
    "userinfo_signing_alg_values_supported": [
        "none",
        "RS256"
    ],
    "pushed_authorization_request_endpoint": "https://gateway-devportal2.pp.vids.dev/auth/par"
}