When a server is configured with an OIDC Identity Provider, it constructs the .well-known/openid-configuration endpoint from the provided issuer and retrieves its OIDC Discovery Document. The server enforces that this document must contain the issuer and token_endpoint. However, it is possible for some identity providers to omit the token_endpoint if it is intended exclusively for flows that do not require this endpoint (implicit flow, for instance).

The server should only enforce the issuer and jwks_uri fields on the OIDC Discovery Document as those are the only fields that it will directly depend on to identify the IdP and refresh its signing keys, respectively.