hammer/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrate Markdown-Notes: projects, meetings, reference, personal

Browse Source
This commit is contained in:
Hammer
2026-01-26 22:05:01 +00:00
parent 9507ddf856
commit 49025b3586
93 changed files with 3422 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
projects/nkode/OpenID Connect Passport Notes.md Normal file
View File

@@ -0,0 +1,113 @@
## Ch. 2
## Ch. 3 OpenId Connect Endpoints
##### 3.1 Authorization Endpoint
- displays authentication and consent screen
- returns `authorization_code` See ch. 5
- client initiates the call to the authorization endpoint
###### 3.1.2 input parameters with examples
```
scope: openid profile email address phone
response_type: code (backend flow) || id_token token (frontend flow) || code id_token (hybrid)
client_id: id of the client
redirect_uri: redirect url
state: cross-site scripting protection
nonce: required for implict flow (frontend flow)
Optional Params: (more research on each)
claims:
display:
prompt:
max_age: maximum lifetime of the token in seconds after which the user must re-authenticate
ui_locales:
id_token_hint:
login_hint:
acr_values:
```
###### 3.1.3 Output
Sends authentication and access delegation (authorization) tokens to redirect endpoint. Token/s are sent as an HTTP 302 redirect.
##### Ch 3.2 Resource Endpoint
Managed by the resource provider. Serves protected resources to authorized parties. valid OAuth `access_token` required
##### Ch 3.3 Userinfo Endpoint
This is a resource endpoint `/userinfo` that serves profile information of the authenticated end-user.
This endpoint returns a list of claims like DOB, name, email, phone_number, profile_picture or any other claim.
This is Defined in the OpenID Connect Standard.
To the OAuth server, it's just a resource endpoint.
1) Will typically be a GET request but should support POST (not sure why)
2) should support CORS
3) Should return JSON `Content-Type: application/json` Might need to be a JWT `Content-Type: application/jwt`
```
List of Claims:
sub: something to id the user
name
family_name
preferred_username
picture
email
birthday
zoneinfo: time zone
updated_at: last updated to the profile
Other Claims:
nonce
auth_time
at_hash: access_token hash
c_hash: authorization_code hash
acr: more research
amr: more research
sub_jwk: public key to check the signature of the id_token
```
##### 3.4 Token Endpoint
Called by the Client.
Client sends client_id, client_secret, and authorization_code to get an access_token, refresh_token, or id_token
```
Client->/token
HTTP header
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {Base64URL-encoding(clientID:clientSecret)}
Form Parameters:
grant_type: authorization_code
code: the authorization_code proved by the authorization endpoint
redirect_ur: redirect URL
Response:
Header:
Cache-Control: no-store
Pragma: no-cache
Body:
{
expires_in: access_token expiration in seconds,
access_token: OAuth access_token,
token_type: access token type `Bearer`,
refresh_token: OAuth refresh_token,
id_token: id_token for the end user
}
```
###### 3.4.4 Validations at the Token Endpoint
- Authenticate the client
- validate authorization_code
- was issued to client
- is valid
- hasn't been used
- validate redirect_uri matches pre-registered value
##### 3.5 Redirect Endpoint
authorization endpoint delivers `id_token, access_token, authorization_token`
## Ch. 4 Tokens in OpenID Connect
```
id_token
access_token
refresh_token
authorization_code
```
##### Two types of tokens:
###### Reference Tokens
- Randomly Generated String
- Opaque
-