webfinger | Webfinger client library for Node.js | HTTP library

I'm using OpenID Connect to control access to my REST API. One of the things I need to do when servicing a request is get the OIDC UserInfo based on the access token in request's Authorization: Bearer ... header.

To this point I've been working with JWTs and this works fine. I'm looking at expanding this to work with opaque tokens as well.

My strategy has been based on my understanding of the OpenID Connect Discovery spec, section 4:

1. Extract the iss from the access token.
2. Discover the userinfo endpoint by getting ${iss}/.well-known/openid-configuration and querying the JSON for userinfo_endpoint.
3. HTTP GET the userinfo_endpoint, passing the access token as an Authorization: Bearer ... header.

This works fine for opaque tokens... except for step 1. Currently, I have to know who the issuer is via an out-of-band mechanism because I don't know how to get the issuer from the opaque token (which, to be honest, makes sense given that it's opaque). I see a few possibilities:

• Maybe I'm just supposed to know who issued it and my question is misguided.
• Maybe the best thing to do is try a list of known issuers and see if one of them works.
• Maybe there's a mechanism for discovering the issuer of the opaque token. (The spec refers to WebFinger, but that doesn't seem like it fits my use case.)
• Maybe there's something I haven't considered...

Thanks all for any help.

I have a test which simulates a request from a remote server which does not exist:

I'm following the instructions to install Nextcloud on an nginx server. I copy the configuration from the offical documentation, i set my server name and my ssl certificate path, and when i try to reach nextcloud from my browser i get

"500 Internal server error".

When i check in the error.log i get

rewrite or internal redirection cycle while processing "/index.php"

This is my configuration file: