Migrate Markdown-Notes: projects, meetings, reference, personal
This commit is contained in:
140
archive/OpenID Connect Passport Notes.md
Normal file
140
archive/OpenID Connect Passport Notes.md
Normal file
@@ -0,0 +1,140 @@
|
||||
## Ch. 2
|
||||
|
||||
## Ch. 3 OpenId Connect Endpoints
|
||||
##### 3.1 Authorization Endpoint
|
||||
- displays authentication and consent screen
|
||||
- returns `authorization_code` See ch. 5
|
||||
- client initiates the call to the authorization endpoint
|
||||
###### 3.1.2 input parameters with examples
|
||||
```
|
||||
scope: openid profile email address phone
|
||||
response_type: code (backend flow) || id_token token (frontend flow) || code id_token (hybrid)
|
||||
client_id: id of the client
|
||||
redirect_uri: redirect url
|
||||
state: cross-site scripting protection
|
||||
nonce: required for implict flow (frontend flow)
|
||||
Optional Params: (more research on each)
|
||||
claims:
|
||||
display:
|
||||
prompt:
|
||||
max_age: maximum lifetime of the token in seconds after which the user must re-authenticate
|
||||
ui_locales:
|
||||
id_token_hint:
|
||||
login_hint:
|
||||
acr_values:
|
||||
```
|
||||
|
||||
###### 3.1.3 Output
|
||||
Sends authentication and access delegation (authorization) tokens to redirect endpoint. Token/s are sent as an HTTP 302 redirect.
|
||||
|
||||
##### Ch 3.2 Resource Endpoint
|
||||
Managed by the resource provider. Serves protected resources to authorized parties. valid OAuth `access_token` required
|
||||
|
||||
##### Ch 3.3 Userinfo Endpoint
|
||||
This is a resource endpoint `/userinfo` that serves profile information of the authenticated end-user.
|
||||
This endpoint returns a list of claims like DOB, name, email, phone_number, profile_picture or any other claim.
|
||||
This is Defined in the OpenID Connect Standard.
|
||||
To the OAuth server, it's just a resource endpoint.
|
||||
1) Will typically be a GET request but should support POST (not sure why)
|
||||
2) should support CORS
|
||||
3) Should return JSON `Content-Type: application/json` Might need to be a JWT `Content-Type: application/jwt`
|
||||
```
|
||||
List of Claims:
|
||||
sub: something to id the user
|
||||
name
|
||||
family_name
|
||||
preferred_username
|
||||
picture
|
||||
email
|
||||
birthday
|
||||
zoneinfo: time zone
|
||||
updated_at: last updated to the profile
|
||||
Other Claims:
|
||||
nonce
|
||||
auth_time
|
||||
at_hash: access_token hash
|
||||
c_hash: authorization_code hash
|
||||
acr: more research
|
||||
amr: more research
|
||||
sub_jwk: public key to check the signature of the id_token
|
||||
```
|
||||
|
||||
##### 3.4 Token Endpoint
|
||||
Called by the Client.
|
||||
Client sends client_id, client_secret, and authorization_code to get an access_token, refresh_token, or id_token
|
||||
|
||||
```
|
||||
Client->/token
|
||||
HTTP header
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Authorization: Basic {Base64URL-encoding(clientID:clientSecret)}
|
||||
|
||||
Form Parameters:
|
||||
grant_type: authorization_code
|
||||
code: the authorization_code proved by the authorization endpoint
|
||||
redirect_ur: redirect URL
|
||||
|
||||
Response:
|
||||
Header:
|
||||
Cache-Control: no-store
|
||||
Pragma: no-cache
|
||||
Body:
|
||||
{
|
||||
expires_in: access_token expiration in seconds,
|
||||
access_token: OAuth access_token,
|
||||
token_type: access token type `Bearer`,
|
||||
refresh_token: OAuth refresh_token,
|
||||
id_token: id_token for the end user
|
||||
}
|
||||
```
|
||||
###### 3.4.4 Validations at the Token Endpoint
|
||||
- Authenticate the client
|
||||
- validate authorization_code
|
||||
- was issued to client
|
||||
- is valid
|
||||
- hasn't been used
|
||||
- validate redirect_uri matches pre-registered value
|
||||
##### 3.5 Redirect Endpoint
|
||||
authorization endpoint delivers `id_token, access_token, authorization_token`
|
||||
|
||||
## Ch. 4 Tokens in OpenID Connect
|
||||
|
||||
```
|
||||
id_token
|
||||
access_token
|
||||
refresh_token
|
||||
authorization_code
|
||||
```
|
||||
|
||||
##### Two types of tokens:
|
||||
|
||||
**Reference Tokens
|
||||
- Randomly Generated String
|
||||
- Opaque
|
||||
|
||||
**Value Token
|
||||
- Contain things like claims ie JWT
|
||||
##### 4.2 Access Token
|
||||
- typically reference tokens
|
||||
- holder has access rights to Resource Provider
|
||||
- short lived token
|
||||
- bearer token
|
||||
- id_token typically bound to the access token what the `at_hash` claim
|
||||
|
||||
##### 4.3 Refresh Token
|
||||
- long lived token
|
||||
- used to request new id_token and access_token
|
||||
- not available with implicit flow
|
||||
##### 4.4 Authorization Code
|
||||
- very short lived token
|
||||
- only give after authentication and consent
|
||||
- only used to request an `access_token` (I think the book means refresh_token but access_token and id_tokens can be sent too)
|
||||
##### 4.5 ID Token
|
||||
- Contains claims
|
||||
- is a value token
|
||||
- is a JWT, JWE, or JWS
|
||||
## Ch. 5 OpenID Connect Flows
|
||||
|
||||
## ChatGPT flow:
|
||||
https://chatgpt.com/c/677a04ed-58cc-8009-b191-be8164bc4946
|
||||
|
||||
Reference in New Issue
Block a user