IdentityServer4 why we need a discovery endpoint

A discovery endpoint (well known / open configuration) contains what is known as a discovery document. In general terms, for most practical purposes, OpenIDConnect clients can use this document to pit themselves against the OpenIDConnect provider.

In general terms, some clients, regardless of the implementation platform, will be .NET Java or Python, may want to get a discovery document to do token validation against tokens that were supposedly issued with a security token.

Let's take a look at a Google search document, for example, which can be found here, you will notice that this is a fairly standard document to discover however they have some custom values ​​for each of the keys in this document. They support RS256 for token signing only, and they support a variety of openid connect streams represented by the key response_types_supported

in this document. This document can help any client relying on this OpenIDConnect provider with a lot of information without having to pre-enroll in the protocol.

Finally, regarding your security questions. You need to publish your discovery endpoint. jwks_uri

is the uri of your OpendIDConnect provider, which contains your JSON web key set, this is a set of security materials (usually public or shared keys) that are used to validate tokens during the verification process.

You can also use the introspection endpoint (located through the discovery document) to validate tokens. You are not decrypting tokens, they are just being verified. Tokens are encrypted by virtue of SSL. So if you want the introspection endpoint to use to validate tokens, that means you add this token validation callback on top of every request using the JWT bearer token.

In short, the discovery document is very important, it contains security material that can allow you to validate the JWT without making an out-of-band call.