Implemented OpenId configuration.

Change-Id: I4e41a6072797742266d86c1709ad8941ae2c17f1
diff --git a/full/src/main/java/de/ids_mannheim/korap/config/FullConfiguration.java b/full/src/main/java/de/ids_mannheim/korap/config/FullConfiguration.java
index 038e402..d76b057 100644
--- a/full/src/main/java/de/ids_mannheim/korap/config/FullConfiguration.java
+++ b/full/src/main/java/de/ids_mannheim/korap/config/FullConfiguration.java
@@ -26,6 +26,7 @@
 
 import de.ids_mannheim.korap.constant.AuthenticationMethod;
 import de.ids_mannheim.korap.interfaces.EncryptionIface;
+import de.ids_mannheim.korap.oauth2.openid.OpenIdConfiguration;
 
 /**
  * Configuration for Kustvakt full version including properties
@@ -74,6 +75,8 @@
 
     private URL issuer;
     private URI issuerURI;
+    private OpenIdConfiguration openidConfig;
+
     private RSAPrivateKey rsaPrivateKey;
     private JWKSet publicKeySet;
     private String rsaKeyId;
@@ -103,6 +106,99 @@
         setRSAKeys(properties);
     }
 
+    private void setOpenIdConfiguration (Properties properties)
+            throws URISyntaxException, MalformedURLException {
+        String issuerStr = properties.getProperty("security.jwt.issuer",
+                "https://korap.ids-mannheim.de");
+
+        if (!issuerStr.startsWith("http")) {
+            issuerStr = "http://" + issuerStr;
+        }
+        setIssuer(new URL(issuerStr));
+        setIssuerURI(issuer.toURI());
+
+        issuerStr = issuerURI.toString();
+
+        OpenIdConfiguration openidConfig = new OpenIdConfiguration();
+        openidConfig.setIssuer(issuerStr);
+        openidConfig.setJwks_uri(issuerStr + OpenIdConfiguration.JWKS_ENDPOINT);
+        openidConfig.setRegistration_endpoint(
+                issuerStr + OpenIdConfiguration.CLIENT_REGISTRATION_ENDPOINT);
+        openidConfig.setAuthorization_endpoint(
+                issuerStr + OpenIdConfiguration.AUTHORIZATION_ENDPOINT);
+        openidConfig.setToken_endpoint(
+                issuerStr + OpenIdConfiguration.TOKEN_ENDPOINT);
+
+        String grantTypes = properties.getProperty("openid.grant.types", "");
+        openidConfig.setGrant_types_supported(grantTypes.split(" "));
+
+        String responseTypes =
+                properties.getProperty("openid.response.types", "code");
+        openidConfig.setResponse_types_supported(responseTypes.split(" "));
+
+        String responseModes =
+                properties.getProperty("openid.response.modes", "");
+        openidConfig.setResponse_modes_supported(responseModes.split(" "));
+
+        String clientAuthMethods =
+                properties.getProperty("openid.client.auth.methods", "");
+        openidConfig.setToken_endpoint_auth_methods_supported(
+                clientAuthMethods.split(" "));
+
+        String tokenSigningAlgorithms = properties
+                .getProperty("openid.token.signing.algorithms", "RS256");
+        openidConfig.setToken_endpoint_auth_signing_alg_values_supported(
+                tokenSigningAlgorithms.split(" "));
+
+        String subjectTypes =
+                properties.getProperty("openid.subject.types", "public");
+        openidConfig.setSubject_types_supported(subjectTypes.split(" "));
+
+        String displayTypes =
+                properties.getProperty("openid.display.types", "");
+        openidConfig.setDisplay_values_supported(displayTypes.split(" "));
+
+        String supportedScopes =
+                properties.getProperty("openid.supported.scopes", "");
+        openidConfig.setScopes_supported(supportedScopes.split(" "));
+
+        String claimTypes =
+                properties.getProperty("openid.claim.types", "normal");
+        openidConfig.setClaim_types_supported(claimTypes.split(" "));
+
+        String supportedClaims =
+                properties.getProperty("openid.supported.claims", "");
+        openidConfig.setClaims_supported(supportedClaims.split(" "));
+
+        String claimLocales =
+                properties.getProperty("openid.supported.claim.locales", "");
+        openidConfig.setClaims_locales_supported(claimLocales.split(" "));
+
+        String uiLocales = properties.getProperty("openid.ui.locales", "en");
+        openidConfig.setUi_locales_supported(uiLocales.split(" "));
+
+        boolean supportClaimParam = Boolean.getBoolean(
+                properties.getProperty("openid.support.claim.param", "false"));
+        openidConfig.setClaims_parameter_supported(supportClaimParam);
+
+        openidConfig.setRequest_parameter_supported(false);
+        openidConfig.setRequest_uri_parameter_supported(false);
+        openidConfig.setRequire_request_uri_registration(false);
+        openidConfig.setMutual_tls_sender_constrained_access_tokens(false);
+
+        String privacyPolicy =
+                properties.getProperty("openid.privacy.policy", "");
+        openidConfig.setOp_policy_uri(privacyPolicy);
+
+        String termOfService =
+                properties.getProperty("openid.term.of.service", "");
+        openidConfig.setOp_tos_uri(termOfService);
+
+        String serviceDocURL = properties.getProperty("openid.service.doc", "");
+        openidConfig.setService_documentation(serviceDocURL);
+        this.setOpenidConfig(openidConfig);
+    }
+
     private void setRSAKeys (Properties properties)
             throws IOException, ParseException, JOSEException {
         setRsaKeyId(properties.getProperty("rsa.key.id", ""));
@@ -139,17 +235,6 @@
         setRsaPrivateKey(privateKey);
     }
 
-    private void setOpenIdConfiguration (Properties properties)
-            throws URISyntaxException, MalformedURLException {
-        String issuerStr = properties.getProperty("security.jwt.issuer", "");
-
-        if (!issuerStr.startsWith("http")) {
-            issuerStr = "http://" + issuerStr;
-        }
-        setIssuer(new URL(issuerStr));
-        setIssuerURI(issuer.toURI());
-    }
-
     private void setOAuth2Configuration (Properties properties) {
         setOAuth2passwordAuthentication(
                 Enum.valueOf(AuthenticationMethod.class, properties.getProperty(
@@ -161,13 +246,13 @@
                 .parseInt(properties.getProperty("oauth2.max.attempts", "3")));
 
         String scopes = properties.getProperty("oauth2.default.scopes",
-                "read_username read_email");
+                "openid preferred_username");
         Set<String> scopeSet =
                 Arrays.stream(scopes.split(" ")).collect(Collectors.toSet());
         setDefaultAccessScopes(scopeSet);
 
         String clientScopes = properties.getProperty(
-                "oauth2.client.credentials.scopes", "read_client_info");
+                "oauth2.client.credentials.scopes", "client_info");
         setClientCredentialsScopes(Arrays.stream(clientScopes.split(" "))
                 .collect(Collectors.toSet()));
     }
@@ -484,4 +569,11 @@
         this.rsaKeyId = rsaKeyId;
     }
 
+    public OpenIdConfiguration getOpenidConfig () {
+        return openidConfig;
+    }
+
+    public void setOpenidConfig (OpenIdConfiguration openidConfig) {
+        this.openidConfig = openidConfig;
+    }
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/OpenIdConfiguration.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/OpenIdConfiguration.java
new file mode 100644
index 0000000..499b214
--- /dev/null
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/OpenIdConfiguration.java
@@ -0,0 +1,699 @@
+package de.ids_mannheim.korap.oauth2.openid;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonInclude.Include;
+
+/**
+ * Defines OpenID configuration.
+ * 
+ * Note: some configuration such as display_values_supported and
+ * ui_locales_supported are more relevant to KorAP user interface
+ * component Kalamar.
+ * 
+ * @see <a
+ *      href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID
+ *      Provider Metadata</a>
+ * @author margaretha
+ *
+ */
+@JsonInclude(Include.NON_EMPTY)
+public class OpenIdConfiguration {
+
+    public final static String JWKS_ENDPOINT = "/oauth2/openid/jwks";
+    public static final String CLIENT_REGISTRATION_ENDPOINT =
+            "/oauth2/client/register";
+    public static final String AUTHORIZATION_ENDPOINT =
+            "/oauth2/openid/authorize";
+    public static final String TOKEN_ENDPOINT = "/oauth2/openid/token";
+
+    private String issuer;
+    private String jwks_uri;
+
+    private String authorization_endpoint;
+    private String token_endpoint;
+    private String userinfo_endpoint;
+    private String registration_endpoint;
+
+    // Additional endpoints
+    private String introspection_endpoint;
+    private String revocation_endpoint;
+    private String end_session_endpoint;
+
+    private String[] scopes_supported;
+    private String[] response_types_supported;
+    private String[] response_modes_supported;
+    private String[] grant_types_supported;
+
+    private String[] token_endpoint_auth_methods_supported;
+    private String[] token_endpoint_auth_signing_alg_values_supported;
+
+    private String[] id_token_signing_alg_values_supported;
+    private String[] id_token_encryption_alg_values_supported;
+    private String[] id_token_encryption_enc_values_supported;
+
+    private String[] userinfo_signing_alg_values_supported;
+    private String[] userinfo_encryption_alg_values_supported;
+    private String[] userinfo_encryption_enc_values_supported;
+
+    private String[] request_object_signing_alg_values_supported;
+    private String[] request_object_encryption_alg_values_supported;
+    private String[] request_object_encryption_enc_values_supported;
+
+    private String[] subject_types_supported;
+    private String[] acr_values_supported;
+    private String[] display_values_supported;
+    private String[] claim_types_supported;
+    private String[] claims_supported;
+    private String[] claims_locales_supported;
+    private String[] ui_locales_supported;
+
+    private boolean claims_parameter_supported = false;
+    private boolean request_parameter_supported = false;
+    private boolean request_uri_parameter_supported = true;
+    private boolean require_request_uri_registration = false;
+
+    private String op_policy_uri;
+    private String op_tos_uri;
+    private String service_documentation;
+
+    private boolean mutual_tls_sender_constrained_access_tokens = false;
+
+    // OAuth2.0 Discovery
+    // List of Proof Key for Code Exchange (PKCE) code challenge
+    // methods supported on by the authorization server
+    // private String[] code_challenge_methods_supported;
+
+    public String getIssuer () {
+        return issuer;
+    }
+
+    /**
+     * REQUIRED
+     * 
+     * @param issuer
+     *            The server identifier, typically base-URL
+     */
+    public void setIssuer (String issuer) {
+        this.issuer = issuer;
+    }
+
+    public String getJwks_uri () {
+        return jwks_uri;
+    }
+
+    /**
+     * REQUIRED
+     * 
+     * @param jwks_uri
+     *            The public JWK set URL
+     */
+    public void setJwks_uri (String jwks_uri) {
+        this.jwks_uri = jwks_uri;
+    }
+
+    public String getAuthorization_endpoint () {
+        return authorization_endpoint;
+    }
+
+    /**
+     * REQUIRED
+     * 
+     * @param authorization_endpoint
+     *            The authorisation endpoint URL.
+     */
+    public void setAuthorization_endpoint (String authorization_endpoint) {
+        this.authorization_endpoint = authorization_endpoint;
+    }
+
+    public String getToken_endpoint () {
+        return token_endpoint;
+    }
+
+    /**
+     * REQUIRED unless only the Implicit Flow is used.
+     * 
+     * @param token_endpoint
+     *            The token endpoint URL.
+     */
+    public void setToken_endpoint (String token_endpoint) {
+        this.token_endpoint = token_endpoint;
+    }
+
+    public String getUserinfo_endpoint () {
+        return userinfo_endpoint;
+    }
+
+    /**
+     * RECOMMENDED. The URL MUST use the https scheme.
+     * 
+     * @param userinfo_endpoint
+     *            The OpenID Connect UserInfo endpoint URL.
+     */
+    public void setUserinfo_endpoint (String userinfo_endpoint) {
+        this.userinfo_endpoint = userinfo_endpoint;
+    }
+
+    public String getRegistration_endpoint () {
+        return registration_endpoint;
+    }
+
+    /**
+     * RECOMMENDED
+     * 
+     * @param registration_endpoint
+     *            The OAuth 2.0 / OpenID Connect client registration
+     *            endpoint
+     *            URL.
+     */
+    public void setRegistration_endpoint (String registration_endpoint) {
+        this.registration_endpoint = registration_endpoint;
+    }
+
+    public String[] getScopes_supported () {
+        return scopes_supported;
+    }
+
+    /**
+     * RECOMMENDED
+     * 
+     * @param scopes_supported
+     *            List of the supported scope values. Certain
+     *            values may be omitted for privacy reasons.
+     */
+    public void setScopes_supported (String[] scopes_supported) {
+        this.scopes_supported = scopes_supported;
+    }
+
+    public String[] getResponse_types_supported () {
+        return response_types_supported;
+    }
+
+    /**
+     * REQUIRED
+     * 
+     * @param response_types_supported
+     *            List of the supported response_type
+     *            values.
+     */
+    public void setResponse_types_supported (
+            String[] response_types_supported) {
+        this.response_types_supported = response_types_supported;
+    }
+
+    public String[] getResponse_modes_supported () {
+        return response_modes_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param response_modes_supported
+     *            List of the supported response mode
+     *            values.
+     */
+    public void setResponse_modes_supported (
+            String[] response_modes_supported) {
+        this.response_modes_supported = response_modes_supported;
+    }
+
+    public String[] getGrant_types_supported () {
+        return grant_types_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param grant_types_supported
+     *            List of the supported grant types.
+     */
+    public void setGrant_types_supported (String[] grant_types_supported) {
+        this.grant_types_supported = grant_types_supported;
+    }
+
+    public String[] getAcr_values_supported () {
+        return acr_values_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param acr_values_supported
+     *            List of the supported Authentication Context Class
+     *            References.
+     */
+    public void setAcr_values_supported (String[] acr_values_supported) {
+        this.acr_values_supported = acr_values_supported;
+    }
+
+    public String[] getSubject_types_supported () {
+        return subject_types_supported;
+    }
+
+    /**
+     * REQUIRED
+     * 
+     * @param subject_types_supported
+     *            List of the supported subject (end-user) identifier
+     *            types.
+     */
+    public void setSubject_types_supported (String[] subject_types_supported) {
+        this.subject_types_supported = subject_types_supported;
+    }
+
+    public String[] getId_token_signing_alg_values_supported () {
+        return id_token_signing_alg_values_supported;
+    }
+
+    /**
+     * REQUIRED
+     * 
+     * @param id_token_signing_alg_values_supported
+     *            List of the supported JWS algorithms for
+     *            the issued ID tokens to encode claims in a JWT.
+     */
+    public void setId_token_signing_alg_values_supported (
+            String[] id_token_signing_alg_values_supported) {
+        this.id_token_signing_alg_values_supported =
+                id_token_signing_alg_values_supported;
+    }
+
+    public String[] getId_token_encryption_alg_values_supported () {
+        return id_token_encryption_alg_values_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param id_token_encryption_alg_values_supported
+     *            List of the supported JWE algorithms for
+     *            the issued ID tokens to encode claims in a JWT.
+     */
+    public void setId_token_encryption_alg_values_supported (
+            String[] id_token_encryption_alg_values_supported) {
+        this.id_token_encryption_alg_values_supported =
+                id_token_encryption_alg_values_supported;
+    }
+
+    public String[] getId_token_encryption_enc_values_supported () {
+        return id_token_encryption_enc_values_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param id_token_encryption_enc_values_supported
+     *            List of the supported JWE encryption methods for
+     *            the issued ID tokens to encode claims in a JWT.
+     */
+    public void setId_token_encryption_enc_values_supported (
+            String[] id_token_encryption_enc_values_supported) {
+        this.id_token_encryption_enc_values_supported =
+                id_token_encryption_enc_values_supported;
+    }
+
+    public String[] getUserinfo_signing_alg_values_supported () {
+        return userinfo_signing_alg_values_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param userinfo_signing_alg_values_supported
+     *            List of the supported signing JWS algorithms for
+     *            encoding the claims in a JWT returned at the
+     *            UserInfo endpoint.
+     */
+    public void setUserinfo_signing_alg_values_supported (
+            String[] userinfo_signing_alg_values_supported) {
+        this.userinfo_signing_alg_values_supported =
+                userinfo_signing_alg_values_supported;
+    }
+
+    public String[] getUserinfo_encryption_alg_values_supported () {
+        return userinfo_encryption_alg_values_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param userinfo_encryption_alg_values_supported
+     *            List of the supported JWE encryption algorithms for
+     *            encoding the claims in a JWT returned at the
+     *            UserInfo endpoint.
+     */
+    public void setUserinfo_encryption_alg_values_supported (
+            String[] userinfo_encryption_alg_values_supported) {
+        this.userinfo_encryption_alg_values_supported =
+                userinfo_encryption_alg_values_supported;
+    }
+
+    public String[] getUserinfo_encryption_enc_values_supported () {
+        return userinfo_encryption_enc_values_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param userinfo_encryption_enc_values_supported
+     *            List of the supported JWE encryption methods for
+     *            encoding the claims in a JWT returned at the
+     *            UserInfo endpoint.
+     */
+    public void setUserinfo_encryption_enc_values_supported (
+            String[] userinfo_encryption_enc_values_supported) {
+        this.userinfo_encryption_enc_values_supported =
+                userinfo_encryption_enc_values_supported;
+    }
+
+    public String[] getRequest_object_signing_alg_values_supported () {
+        return request_object_signing_alg_values_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param request_object_signing_alg_values_supported
+     *            JSON array containing a list of supported JWS
+     *            signing algorithms (alg values) supported for
+     *            Request Objects
+     */
+    public void setRequest_object_signing_alg_values_supported (
+            String[] request_object_signing_alg_values_supported) {
+        this.request_object_signing_alg_values_supported =
+                request_object_signing_alg_values_supported;
+    }
+
+    public String[] getRequest_object_encryption_alg_values_supported () {
+        return request_object_encryption_alg_values_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param request_object_encryption_alg_values_supported
+     *            List of the supported JWE encryption algorithms for
+     *            OpenID Connect request objects
+     */
+    public void setRequest_object_encryption_alg_values_supported (
+            String[] request_object_encryption_alg_values_supported) {
+        this.request_object_encryption_alg_values_supported =
+                request_object_encryption_alg_values_supported;
+    }
+
+    public String[] getRequest_object_encryption_enc_values_supported () {
+        return request_object_encryption_enc_values_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param request_object_encryption_enc_values_supported
+     *            List of the supported JWE encryption methods for
+     *            OpenID Connect request objects, omitted or empty if
+     *            none.
+     */
+    public void setRequest_object_encryption_enc_values_supported (
+            String[] request_object_encryption_enc_values_supported) {
+        this.request_object_encryption_enc_values_supported =
+                request_object_encryption_enc_values_supported;
+    }
+
+    public String[] getToken_endpoint_auth_methods_supported () {
+        return token_endpoint_auth_methods_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param token_endpoint_auth_methods_supported
+     *            List of the supported client authentication methods
+     *            at the token endpoint.
+     */
+    public void setToken_endpoint_auth_methods_supported (
+            String[] token_endpoint_auth_methods_supported) {
+        this.token_endpoint_auth_methods_supported =
+                token_endpoint_auth_methods_supported;
+    }
+
+    public String[] getToken_endpoint_auth_signing_alg_values_supported () {
+        return token_endpoint_auth_signing_alg_values_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param token_endpoint_auth_signing_alg_values_supported
+     *            List of the supported JWS algorithms for JWT-based
+     *            client authentication at the token endpoint
+     */
+    public void setToken_endpoint_auth_signing_alg_values_supported (
+            String[] token_endpoint_auth_signing_alg_values_supported) {
+        this.token_endpoint_auth_signing_alg_values_supported =
+                token_endpoint_auth_signing_alg_values_supported;
+    }
+
+    public String[] getDisplay_values_supported () {
+        return display_values_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param display_values_supported
+     *            List of the supported display parameters.
+     */
+    public void setDisplay_values_supported (
+            String[] display_values_supported) {
+        this.display_values_supported = display_values_supported;
+    }
+
+    public String[] getClaim_types_supported () {
+        return claim_types_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param claim_types_supported
+     *            List of the supported OpenID Connect claim types.
+     */
+    public void setClaim_types_supported (String[] claim_types_supported) {
+        this.claim_types_supported = claim_types_supported;
+    }
+
+    public String[] getClaims_supported () {
+        return claims_supported;
+    }
+
+    /**
+     * RECOMMENDED
+     * 
+     * @param claims_supported
+     *            List of the supported OpenID Connect claims.
+     */
+    public void setClaims_supported (String[] claims_supported) {
+        this.claims_supported = claims_supported;
+    }
+
+    public String getService_documentation () {
+        return service_documentation;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param service_documentation
+     *            The service documentation URL
+     */
+    public void setService_documentation (String service_documentation) {
+        this.service_documentation = service_documentation;
+    }
+
+    public String[] getClaims_locales_supported () {
+        return claims_locales_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param claims_locales_supported
+     *            List of the supported OpenID Connect claims locales
+     */
+    public void setClaims_locales_supported (
+            String[] claims_locales_supported) {
+        this.claims_locales_supported = claims_locales_supported;
+    }
+
+    public String[] getUi_locales_supported () {
+        return ui_locales_supported;
+    }
+
+    /**
+     * OPTIONAL
+     * 
+     * @param ui_locales_supported
+     *            List of the supported UI locales
+     */
+    public void setUi_locales_supported (String[] ui_locales_supported) {
+        this.ui_locales_supported = ui_locales_supported;
+    }
+
+    public boolean isClaims_parameter_supported () {
+        return claims_parameter_supported;
+    }
+
+    /**
+     * OPTIONAL. Default false.
+     * 
+     * @param claims_parameter_supported
+     *            Specifies whether the claims request parameter is
+     *            supported.
+     */
+    public void setClaims_parameter_supported (
+            boolean claims_parameter_supported) {
+        this.claims_parameter_supported = claims_parameter_supported;
+    }
+
+    public boolean isRequest_parameter_supported () {
+        return request_parameter_supported;
+    }
+
+    /**
+     * OPTIONAL. Default false.
+     * 
+     * @param request_parameter_supported
+     *            Specifies whether the request parameter is
+     *            supported.
+     */
+    public void setRequest_parameter_supported (
+            boolean request_parameter_supported) {
+        this.request_parameter_supported = request_parameter_supported;
+    }
+
+    public boolean isRequest_uri_parameter_supported () {
+        return request_uri_parameter_supported;
+    }
+
+    /**
+     * OPTIONAL. Default true.
+     * 
+     * @param request_uri_parameter_supported
+     *            Specifies whether the request_uri parameter is
+     *            supported.
+     */
+    public void setRequest_uri_parameter_supported (
+            boolean request_uri_parameter_supported) {
+        this.request_uri_parameter_supported = request_uri_parameter_supported;
+    }
+
+    public boolean isRequire_request_uri_registration () {
+        return require_request_uri_registration;
+    }
+
+    /**
+     * OPTIONAL. Default false.
+     * 
+     * @param require_request_uri_registration
+     *            Specifies whether request URIs must be registered
+     *            for a client.
+     */
+    public void setRequire_request_uri_registration (
+            boolean require_request_uri_registration) {
+        this.require_request_uri_registration =
+                require_request_uri_registration;
+    }
+
+    public String getOp_policy_uri () {
+        return op_policy_uri;
+    }
+
+    /**
+     * OPTIONAL. URL that the OpenID Provider provides to the person
+     * registering the Client to read about the requirements on
+     * how the client can use the data provided by the OpenID
+     * Provider. The registration process SHOULD display this URL to
+     * the person registering the Client if it is given.
+     * 
+     * @param op_policy_uri
+     *            The privacy policy document URL, omitted if none.
+     */
+    public void setOp_policy_uri (String op_policy_uri) {
+        this.op_policy_uri = op_policy_uri;
+    }
+
+    public String getOp_tos_uri () {
+        return op_tos_uri;
+    }
+
+    /**
+     * @param op_tos_uri
+     *            The terms of service document URL, omitted if none.
+     */
+    public void setOp_tos_uri (String op_tos_uri) {
+        this.op_tos_uri = op_tos_uri;
+    }
+
+    public String getIntrospection_endpoint () {
+        return introspection_endpoint;
+    }
+
+    /**
+     * ADDITIONAL
+     * 
+     * @param introspection_endpoint
+     *            The token introspection endpoint URL.
+     */
+    public void setIntrospection_endpoint (String introspection_endpoint) {
+        this.introspection_endpoint = introspection_endpoint;
+    }
+
+    public String getRevocation_endpoint () {
+        return revocation_endpoint;
+    }
+
+    /**
+     * ADDITIONAL
+     * 
+     * @param revocation_endpoint
+     *            The token revocation endpoint URL.
+     */
+    public void setRevocation_endpoint (String revocation_endpoint) {
+        this.revocation_endpoint = revocation_endpoint;
+    }
+
+    public String getEnd_session_endpoint () {
+        return end_session_endpoint;
+    }
+
+    /**
+     * ADDITIONAL
+     * 
+     * @param end_session_endpoint
+     *            The OpenID Connect logout endpoint URL, omitted if
+     *            disabled.
+     */
+    public void setEnd_session_endpoint (String end_session_endpoint) {
+        this.end_session_endpoint = end_session_endpoint;
+    }
+
+    public boolean isMutual_tls_sender_constrained_access_tokens () {
+        return mutual_tls_sender_constrained_access_tokens;
+    }
+
+    /**
+     * OPTIONAL. Default false.
+     * 
+     * @see <a
+     *      href="https://tools.ietf.org/id/draft-ietf-oauth-mtls-03.html#server_metadata">Mutual
+     *      TLS Profile for OAuth 2.0</a>
+     * @param mutual_tls_sender_constrained_access_tokens
+     *            specifies whether issue of client X.509 certificate
+     *            bound access tokens is supported, omitted
+     *            implies no support.
+     */
+    public void setMutual_tls_sender_constrained_access_tokens (
+            boolean mutual_tls_sender_constrained_access_tokens) {
+        this.mutual_tls_sender_constrained_access_tokens =
+                mutual_tls_sender_constrained_access_tokens;
+    }
+}
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdConfigService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdConfigService.java
new file mode 100644
index 0000000..0820f3f
--- /dev/null
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdConfigService.java
@@ -0,0 +1,18 @@
+package de.ids_mannheim.korap.oauth2.openid.service;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import de.ids_mannheim.korap.config.FullConfiguration;
+import de.ids_mannheim.korap.oauth2.openid.OpenIdConfiguration;
+
+@Service
+public class OpenIdConfigService {
+
+    @Autowired
+    private FullConfiguration config;
+
+    public OpenIdConfiguration retrieveOpenIdConfigInfo () {
+        return config.getOpenidConfig();
+    }
+}
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2WithOpenIdController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2WithOpenIdController.java
index 29b9856..cf4fe81 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2WithOpenIdController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2WithOpenIdController.java
@@ -31,9 +31,11 @@
 import com.sun.jersey.spi.container.ResourceFilters;
 
 import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.oauth2.openid.OpenIdConfiguration;
 import de.ids_mannheim.korap.oauth2.openid.OpenIdHttpRequestWrapper;
 import de.ids_mannheim.korap.oauth2.openid.service.JWKService;
 import de.ids_mannheim.korap.oauth2.openid.service.OpenIdAuthorizationService;
+import de.ids_mannheim.korap.oauth2.openid.service.OpenIdConfigService;
 import de.ids_mannheim.korap.oauth2.openid.service.OpenIdTokenService;
 import de.ids_mannheim.korap.security.context.TokenContext;
 import de.ids_mannheim.korap.web.OpenIdResponseHandler;
@@ -52,6 +54,9 @@
     @Autowired
     private JWKService jwkService;
     @Autowired
+    private OpenIdConfigService configService;
+    
+    @Autowired
     private OpenIdResponseHandler openIdResponseHandler;
 
     /**
@@ -199,9 +204,23 @@
      * @see "RFC 7517 regarding JWK (Json Web Key) and JWK Set"
      */
     @GET
-    @Path("key/public")
+    @Path("jwks")
     @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
-    public String retrievePublicKeys () {
+    public String requestPublicKeys () {
         return jwkService.generatePublicKeySetJson();
     }
+
+    /**
+     * When supporting discovery, must be available at
+     * {issuer_uri}/.well-known/openid-configuration
+     * @return 
+     * 
+     * @return
+     */
+    @GET
+    @Path("config")
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    public OpenIdConfiguration requestOpenIdConfig () {
+        return configService.retrieveOpenIdConfigInfo();
+    }
 }
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/AvailabilityTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/AvailabilityTest.java
index 98502ea..15d627f 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/AvailabilityTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/AvailabilityTest.java
@@ -1,8 +1,8 @@
 package de.ids_mannheim.korap.web.controller;
 
 import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -103,35 +103,6 @@
 
     }
 
-    private void checkAndAll (String json) throws KustvaktException {
-        JsonNode node = JsonUtils.readTree(json);
-        assertNotNull(node);
-        assertEquals("availability(ALL)",
-                node.at("/collection/rewrites/0/scope").asText());
-        assertEquals("operation:insertion",
-                node.at("/collection/rewrites/0/operation").asText());
-
-        assertEquals("operation:and",
-                node.at("/collection/operation").asText());
-
-        node = node.at("/collection/operands/0");
-        assertEquals("operation:or", node.at("/operation").asText());
-
-        assertEquals("match:eq", node.at("/operands/0/match").asText());
-        assertEquals("match:eq", node.at("/operands/0/match").asText());
-        assertEquals("type:regex", node.at("/operands/0/type").asText());
-        assertEquals("availability", node.at("/operands/0/key").asText());
-        assertEquals("CC-BY.*", node.at("/operands/0/value").asText());
-
-        node = node.at("/operands/1");
-        assertEquals("operation:or", node.at("/operation").asText());
-        assertEquals("match:eq", node.at("/operands/0/match").asText());
-        assertEquals("ACA.*", node.at("/operands/0/value").asText());
-        assertEquals("match:eq", node.at("/operands/1/match").asText());
-        assertEquals("QAO.*", node.at("/operands/1/value").asText());
-
-    }
-
     private void checkAndAllWithACA (String json) throws KustvaktException {
         JsonNode node = JsonUtils.readTree(json);
         assertNotNull(node);
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
index 97efe8d..497218c 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
@@ -171,7 +171,7 @@
         MultivaluedMap<String, String> authForm = new MultivaluedMapImpl();
         authForm.add("response_type", "code");
         authForm.add("client_id", "fCBbQkAyYzI4NzUxMg");
-        authForm.add("scope", "read_username");
+        authForm.add("scope", "username");
 
         ClientResponse response =
                 requestAuthorizationConfidentialClient(authForm);
@@ -181,7 +181,7 @@
         String code = params.get("code").get(0);
         String scopes = params.get("scope").get(0);
 
-        assertEquals(scopes, "read_username");
+        assertEquals(scopes, "username");
 
         MultivaluedMap<String, String> tokenForm = new MultivaluedMapImpl();
         tokenForm.add("grant_type", "authorization_code");
@@ -241,7 +241,7 @@
         MultivaluedMap<String, String> authForm = new MultivaluedMapImpl();
         authForm.add("response_type", "code");
         authForm.add("client_id", "fCBbQkAyYzI4NzUxMg");
-        authForm.add("scope", "read_username");
+        authForm.add("scope", "username");
         authForm.add("redirect_uri", uri);
 
         ClientResponse response =
@@ -437,7 +437,7 @@
         form.add("grant_type", "client_credentials");
         form.add("client_id", "fCBbQkAyYzI4NzUxMg");
         form.add("client_secret", "secret");
-        form.add("scope", "read_username read_client_info");
+        form.add("scope", "preferred_username client_info");
 
         ClientResponse response = requestToken(form);
         String entity = response.getEntity(String.class);
@@ -450,7 +450,7 @@
         assertEquals(TokenType.BEARER.toString(),
                 node.at("/token_type").asText());
         assertNotNull(node.at("/expires_in").asText());
-        assertEquals("read_client_info", node.at("/scope").asText());
+        assertEquals("client_info", node.at("/scope").asText());
     }
 
     @Test
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java
index 5459c6d..6594fdd 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java
@@ -316,7 +316,7 @@
     @Test
     public void testPublicKeyAPI () throws KustvaktException {
         ClientResponse response = resource().path("oauth2").path("openid")
-                .path("key").path("public").get(ClientResponse.class);
+                .path("jwks").get(ClientResponse.class);
         String entity = response.getEntity(String.class);
         JsonNode node = JsonUtils.readTree(entity);
         assertEquals(1,node.at("/keys").size());
@@ -326,4 +326,18 @@
         assertNotNull(node.at("/e").asText());
         assertNotNull(node.at("/n").asText());
     }
+ 
+    @Test
+    public void testOpenIDConfiguration () throws KustvaktException {
+        ClientResponse response = resource().path("oauth2").path("openid")
+                .path("config").get(ClientResponse.class);
+        String entity = response.getEntity(String.class);
+        JsonNode node = JsonUtils.readTree(entity);
+        assertNotNull(node.at("/issuer"));
+        assertNotNull(node.at("/authorization_endpoint"));
+        assertNotNull(node.at("/token_endpoint"));
+        assertNotNull(node.at("/response_types_supported"));
+        assertNotNull(node.at("/subject_types_supported"));
+        assertNotNull(node.at("/id_token_signing_alg_values_supported"));
+    }
 }
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/ResourceInfoControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/ResourceInfoControllerTest.java
index e96e523..fa40e73 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/ResourceInfoControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/ResourceInfoControllerTest.java
@@ -14,7 +14,6 @@
 
 import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
 import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.constant.TokenType;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.utils.JsonUtils;
 import de.ids_mannheim.korap.web.FastJerseyTest;
diff --git a/full/src/test/resources/kustvakt-test.conf b/full/src/test/resources/kustvakt-test.conf
index 48ce51c..9061918 100644
--- a/full/src/test/resources/kustvakt-test.conf
+++ b/full/src/test/resources/kustvakt-test.conf
@@ -43,18 +43,36 @@
 
 ## options referring to the security module!
 
-## OAuth 
+## OAuth
 ### (see de.ids_mannheim.korap.constant.AuthenticationMethod for possible 
 ### oauth.password.authentication values)
-oauth.password.authentication = TEST
-oauth.native.client.host=korap.ids-mannheim.de
+oauth2.password.authentication = TEST
+oauth2.native.client.host = korap.ids-mannheim.de
 oauth2.max.attempts = 2
 # -- scopes separated by space
-oauth2.default.scopes = openid read_username read_email 
-oauth2.client.credentials.scopes = read_client_info
+oauth2.default.scopes = openid username email
+oauth2.client.credentials.scopes = client_info
+
+## OpenId
+### multiple values are separated by space
+openid.grant.types = authorization_code
+openid.response.types = code
+openid.response.modes = query
+openid.client.auth.methods = client_secret_basic client_secret_post
+openid.token.signing.algorithms = RS256
+openid.subject.types = public
+openid.display.types = page
+openid.supported.scopes = openid email
+openid.support.claim.param = false
+openid.claim.types = normal
+openid.supported.claims = iss sub aud exp iat
+openid.ui.locales = en
+#openid.privacy.policy = 
+#openid.term.of.service =
+openid.service.doc = https://github.com/KorAP/Kustvakt/wiki
 
 ## JWT
-security.jwt.issuer=korap.ids-mannheim.de
+security.jwt.issuer=https://korap.ids-mannheim.de
 
 ## JWK
 rsa.private = kustvakt_rsa.key