Spec defined endpoints
/authorize
- used for anything user facing
- Gets the authorization grant and user consent
/tokens
- Used to retrieve token
- The only endpoint used in resource owner password or client credential flow
Extension endpoints (optional)
/introspect
- Allows you to analyze and decode a token
/revoke
- Invalidate and access a refreshed token
/userinfo
- It is in OpenID Connect spec
- It publishes user profile data
/.well-known/oauth-authorization-server
- It is strict end point and can’t be changed as per providers
- It returns OAuth discovery document