amaydixit11 · amaydixit11 · Dec 14, 2025 · Dec 14, 2025 · Dec 14, 2025 · Dec 14, 2025
diff --git a/certify-core/src/main/java/io/mosip/certify/core/constants/Constants.java b/certify-core/src/main/java/io/mosip/certify/core/constants/Constants.java
@@ -45,4 +45,7 @@ public class Constants {
     public static final String PRE_AUTH_CODE_PREFIX = "pre_auth_code:";
     public static final String CREDENTIAL_OFFER_PREFIX = "credential_offer:";
     public static final String PRE_AUTHORIZED_CODE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:pre-authorized_code";
+    public static final String AS_METADATA_PREFIX = "as_metadata:";
+    public static final String WELL_KNOWN_OAUTH_AS = "/.well-known/oauth-authorization-server";
+    public static final String WELL_KNOWN_OIDC_CONFIG = "/.well-known/openid-configuration";
 }
diff --git a/certify-core/src/main/java/io/mosip/certify/core/constants/ErrorConstants.java b/certify-core/src/main/java/io/mosip/certify/core/constants/ErrorConstants.java
@@ -57,4 +57,8 @@ public class ErrorConstants {
     public static final String UNKNOWN_CLAIMS = "unknown_claims";
     public static final String INVALID_EXPIRY_RANGE = "invalid_expiry_range";
     public static final String INVALID_OFFER_ID_FORMAT = "invalid_offer_id_format";
+    public static final String AUTHORIZATION_SERVER_DISCOVERY_FAILED = "authorization_server_discovery_failed";
+    public static final String INVALID_AUTHORIZATION_SERVER = "invalid_authorization_server";
+    public static final String AUTHORIZATION_SERVER_NOT_CONFIGURED = "authorization_server_not_configured";
+
 }
diff --git a/certify-core/src/main/java/io/mosip/certify/core/dto/AuthorizationServerConfig.java b/certify-core/src/main/java/io/mosip/certify/core/dto/AuthorizationServerConfig.java
@@ -0,0 +1,26 @@
+package io.mosip.certify.core.dto;
+
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import java.io.Serializable;
+
+/**
+ * Configuration for a single authorization server
+ */
+@Data
+@Builder
+@AllArgsConstructor
+@NoArgsConstructor
+public class AuthorizationServerConfig implements Serializable {
+    private static final long serialVersionUID = 1L;
+
+    private String serverId;
+    private String serverUrl;
+    private boolean internal;
+    private String wellKnownUrl;
+    private long metadataCachedAt;
+    private AuthorizationServerMetadata metadata;
+}
diff --git a/certify-core/src/main/java/io/mosip/certify/core/dto/AuthorizationServerMetadata.java b/certify-core/src/main/java/io/mosip/certify/core/dto/AuthorizationServerMetadata.java
@@ -0,0 +1,50 @@
+package io.mosip.certify.core.dto;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import java.util.List;
+
+/**
+ * Authorization Server Metadata as per RFC 8414
+ * Source: https://www.rfc-editor.org/rfc/rfc8414.html
+ * Used for discovery via /.well-known/oauth-authorization-server
+ */
+@Data
+@Builder
+@AllArgsConstructor
+@NoArgsConstructor
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class AuthorizationServerMetadata {
+
+    @JsonProperty("issuer")
+    private String issuer;
+
+    @JsonProperty("token_endpoint")
+    private String tokenEndpoint;
+
+    @JsonProperty("jwks_uri")
+    private String jwksUri;
+
+    @JsonProperty("authorization_endpoint")
+    private String authorizationEndpoint;
+
+    @JsonProperty("response_types_supported")
+    private List<String> responseTypesSupported;
+
+    @JsonProperty("grant_types_supported")
+    private List<String> grantTypesSupported;
+
+    @JsonProperty("token_endpoint_auth_methods_supported")
+    private List<String> tokenEndpointAuthMethodsSupported;
+
+    @JsonProperty("code_challenge_methods_supported")
+    private List<String> codeChallengeMethodsSupported;
+
+    @JsonProperty("scopes_supported")
+    private List<String> scopesSupported;
+}
diff --git a/certify-core/src/main/java/io/mosip/certify/core/dto/CredentialOfferResponse.java b/certify-core/src/main/java/io/mosip/certify/core/dto/CredentialOfferResponse.java
@@ -22,4 +22,7 @@ public class CredentialOfferResponse {
 
     @JsonProperty("grants")
     private Grant grants;
+
+    @JsonProperty("authorization_server")
+    private String authorizationServer;
 }
diff --git a/certify-core/src/main/java/io/mosip/certify/core/dto/Grant.java b/certify-core/src/main/java/io/mosip/certify/core/dto/Grant.java
@@ -13,18 +13,34 @@
 public class Grant {
 
     @JsonProperty("urn:ietf:params:oauth:grant-type:pre-authorized_code")
-    private PreAuthorizedCodeGrant preAuthorizedCode;
+    private PreAuthorizedCodeGrantType preAuthorizedCode;
+
+    @JsonProperty("authorization_code")
+    private AuthorizedCodeGrantType authorizationCode;
 
     @Data
     @Builder
     @AllArgsConstructor
     @NoArgsConstructor
-    public static class PreAuthorizedCodeGrant {
+    public static class PreAuthorizedCodeGrantType {
 
         @JsonProperty("pre-authorized_code")
         private String preAuthorizedCode;
 
         @JsonProperty("tx_code")
         private TxCode txCode;
     }
+
+    @Data
+    @Builder
+    @AllArgsConstructor
+    @NoArgsConstructor
+    public static class AuthorizedCodeGrantType {
+
+        @JsonProperty("issuer_state")
+        private String issuerState;
+
+        @JsonProperty("authorization_server")
+        private String authorizationServer;
+    }
 }
diff --git a/certify-service/src/main/java/io/mosip/certify/advice/ExceptionHandlerAdvice.java b/certify-service/src/main/java/io/mosip/certify/advice/ExceptionHandlerAdvice.java
@@ -118,15 +118,16 @@ private ResponseEntity<ResponseWrapper> handleInternalControllerException(Except
         }
         if(ex instanceof MissingServletRequestParameterException) {
             return new ResponseEntity<ResponseWrapper>(getResponseWrapper(INVALID_REQUEST, ex.getMessage()),
-                    HttpStatus.OK);
+                    HttpStatus.BAD_REQUEST);
         }
         if(ex instanceof HttpMediaTypeNotAcceptableException) {
             return new ResponseEntity<ResponseWrapper>(getResponseWrapper(INVALID_REQUEST, ex.getMessage()),
-                    HttpStatus.OK);
+                    HttpStatus.NOT_ACCEPTABLE);
         }
         if(ex instanceof CertifyException) {
             String errorCode = ((CertifyException) ex).getErrorCode();
-            return new ResponseEntity<ResponseWrapper>(getResponseWrapper(errorCode, getMessage(errorCode)), HttpStatus.OK);
+            return new ResponseEntity<ResponseWrapper>(getResponseWrapper(errorCode, getMessage(errorCode)),
+                    HttpStatus.BAD_REQUEST);
         }
         if(ex instanceof RenderingTemplateException) {
             return new ResponseEntity<>(getResponseWrapper(INVALID_REQUEST, ex.getMessage()) ,HttpStatus.NOT_FOUND);
@@ -142,7 +143,8 @@ private ResponseEntity<ResponseWrapper> handleInternalControllerException(Except
             return new ResponseEntity<ResponseWrapper>(getResponseWrapper(HttpStatus.FORBIDDEN.name(),
                     HttpStatus.FORBIDDEN.getReasonPhrase()), HttpStatus.FORBIDDEN);
         }
-        return new ResponseEntity<ResponseWrapper>(getResponseWrapper(UNKNOWN_ERROR, ex.getMessage()), HttpStatus.OK);
+        return new ResponseEntity<ResponseWrapper>(getResponseWrapper(UNKNOWN_ERROR, ex.getMessage()),
+                HttpStatus.INTERNAL_SERVER_ERROR);
     }
 
     public ResponseEntity<VCError> handleVCIControllerExceptions(Exception ex) {

diff --git a/certify-service/src/main/java/io/mosip/certify/controller/WellKnownController.java b/certify-service/src/main/java/io/mosip/certify/controller/WellKnownController.java
@@ -1,13 +1,12 @@
 package io.mosip.certify.controller;
 
+import io.mosip.certify.core.dto.AuthorizationServerMetadata;
 import io.mosip.certify.core.dto.CredentialIssuerMetadataDTO;
 import io.mosip.certify.core.spi.CredentialConfigurationService;
 import io.mosip.certify.core.spi.VCIssuanceService;
+import io.mosip.certify.services.AuthorizationServerService;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.bind.annotation.*;
 
 import java.util.Map;
 
@@ -21,15 +20,27 @@ public class WellKnownController {
     @Autowired
     private VCIssuanceService vcIssuanceService;
 
+    @Autowired
+    private AuthorizationServerService authorizationServerService;
+
     @GetMapping(value = "/openid-credential-issuer", produces = "application/json")
     public CredentialIssuerMetadataDTO getCredentialIssuerMetadata(
             @RequestParam(name = "version", required = false, defaultValue = "latest") String version) {
         return credentialConfigurationService.fetchCredentialIssuerMetadata(version);
     }
 
+    @GetMapping(value = "/oauth-authorization-server", produces = "application/json")
+    public AuthorizationServerMetadata getAuthorizationServerMetadata() {
+        return authorizationServerService.getInternalAuthServerMetadata();
+    }
+
+    @GetMapping(value = "/openid-configuration", produces = "application/json")
+    public AuthorizationServerMetadata getOpenIDConfiguration() {
+        return authorizationServerService.getInternalAuthServerMetadata();
+    }
+
     @GetMapping(value = "/did.json")
     public Map<String, Object> getDIDDocument() {
         return vcIssuanceService.getDIDDocument();
     }
 }
-