## Ch. 2 ## Ch. 3 OpenId Connect Endpoints ##### 3.1 Authorization Endpoint - displays authentication and consent screen - returns `authorization_code` See ch. 5 - client initiates the call to the authorization endpoint ###### 3.1.2 input parameters with examples ``` scope: openid profile email address phone response_type: code (backend flow) || id_token token (frontend flow) || code id_token (hybrid) client_id: id of the client redirect_uri: redirect url state: cross-site scripting protection nonce: required for implict flow (frontend flow) Optional Params: (more research on each) claims: display: prompt: max_age: maximum lifetime of the token in seconds after which the user must re-authenticate ui_locales: id_token_hint: login_hint: acr_values: ``` ###### 3.1.3 Output Sends authentication and access delegation (authorization) tokens to redirect endpoint. Token/s are sent as an HTTP 302 redirect. ##### Ch 3.2 Resource Endpoint Managed by the resource provider. Serves protected resources to authorized parties. valid OAuth `access_token` required ##### Ch 3.3 Userinfo Endpoint This is a resource endpoint `/userinfo` that serves profile information of the authenticated end-user. This endpoint returns a list of claims like DOB, name, email, phone_number, profile_picture or any other claim. This is Defined in the OpenID Connect Standard. To the OAuth server, it's just a resource endpoint. 1) Will typically be a GET request but should support POST (not sure why) 2) should support CORS 3) Should return JSON `Content-Type: application/json` Might need to be a JWT `Content-Type: application/jwt` ``` List of Claims: sub: something to id the user name family_name preferred_username picture email birthday zoneinfo: time zone updated_at: last updated to the profile Other Claims: nonce auth_time at_hash: access_token hash c_hash: authorization_code hash acr: more research amr: more research sub_jwk: public key to check the signature of the id_token ``` ##### 3.4 Token Endpoint Called by the Client. Client sends client_id, client_secret, and authorization_code to get an access_token, refresh_token, or id_token ``` Client->/token HTTP header Content-Type: application/x-www-form-urlencoded Authorization: Basic {Base64URL-encoding(clientID:clientSecret)} Form Parameters: grant_type: authorization_code code: the authorization_code proved by the authorization endpoint redirect_ur: redirect URL Response: Header: Cache-Control: no-store Pragma: no-cache Body: { expires_in: access_token expiration in seconds, access_token: OAuth access_token, token_type: access token type `Bearer`, refresh_token: OAuth refresh_token, id_token: id_token for the end user } ``` ###### 3.4.4 Validations at the Token Endpoint - Authenticate the client - validate authorization_code - was issued to client - is valid - hasn't been used - validate redirect_uri matches pre-registered value ##### 3.5 Redirect Endpoint authorization endpoint delivers `id_token, access_token, authorization_token` ## Ch. 4 Tokens in OpenID Connect ``` id_token access_token refresh_token authorization_code ``` ##### Two types of tokens: **Reference Tokens - Randomly Generated String - Opaque **Value Token - Contain things like claims ie JWT ##### 4.2 Access Token - typically reference tokens - holder has access rights to Resource Provider - short lived token - bearer token - id_token typically bound to the access token what the `at_hash` claim ##### 4.3 Refresh Token - long lived token - used to request new id_token and access_token - not available with implicit flow ##### 4.4 Authorization Code - very short lived token - only give after authentication and consent - only used to request an `access_token` (I think the book means refresh_token but access_token and id_tokens can be sent too) ##### 4.5 ID Token - Contains claims - is a value token - is a JWT, JWE, or JWS ## Ch. 5 OpenID Connect Flows ## ChatGPT flow: https://chatgpt.com/c/677a04ed-58cc-8009-b191-be8164bc4946