Mapping OIDC Endpoints with Nmap

The port was open. The service was listening. But the identity flow hid behind layers you couldn’t see. Nmap meets OpenID Connect (OIDC) when the mission moves beyond scanning hosts and into mapping authentication surfaces.

Nmap is not built to speak OIDC directly. It scans networks, fingerprints protocols, identifies services. OIDC runs on top of OAuth 2.0, using JSON Web Tokens, discovery documents, and authorization endpoints. To link these worlds, you pair Nmap’s scripting engine (NSE) with HTTP requests into the OIDC metadata paths. The goal: detect authentication endpoints, confirm token issuance addresses, and catch misconfigurations before they become attack vectors.

The standard OIDC discovery document lives at /.well-known/openid-configuration. An NSE script can request this path from identified HTTP(S) services. When the document is found, parse it to extract authorization_endpoint, token_endpoint, and userinfo_endpoint. From here you can map the identity infrastructure behind the surface port.

Security teams use this method to spot exposed development OIDC endpoints, expired TLS certificates on token servers, or differences between staging and production identity flows. A misaligned discovery path can break SSO or allow token leaks. Automating detection with Nmap ensures that your OIDC topology stays visible.

Combine Nmap’s service discovery with OIDC endpoint analysis to audit authentication stacks quickly. No manual browser work. No guessing. Just scripted network reconnaissance that knows where and how identities are managed.

Run it. Watch Nmap find the open door. Watch OIDC tell you where it leads.

See this live in minutes with hoop.dev — scan, detect, and map your OIDC endpoints now.