hammer/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
49025b35862f61417ad2b138c6ed181a16a79cea
notes/projects/nkode/OpenID Connect Passport Notes.md

3.1 KiB
Raw Blame History

Ch. 2

Ch. 3 OpenId Connect Endpoints

3.1 Authorization Endpoint
  • displays authentication and consent screen
  • returns authorization_code See ch. 5
  • client initiates the call to the authorization endpoint
3.1.2 input parameters with examples
scope: openid profile email address phone
response_type: code (backend flow) || id_token token (frontend flow) || code id_token (hybrid)
client_id: id of the client
redirect_uri: redirect url
state: cross-site scripting protection
nonce: required for implict flow (frontend flow)
Optional Params: (more research on each)
claims:
display:
prompt:
max_age: maximum lifetime of the token in seconds after which the user must re-authenticate
ui_locales: 
id_token_hint:
login_hint:
acr_values:
3.1.3 Output

Sends authentication and access delegation (authorization) tokens to redirect endpoint. Token/s are sent as an HTTP 302 redirect.

Ch 3.2 Resource Endpoint

Managed by the resource provider. Serves protected resources to authorized parties. valid OAuth access_token required

Ch 3.3 Userinfo Endpoint

This is a resource endpoint /userinfo that serves profile information of the authenticated end-user. This endpoint returns a list of claims like DOB, name, email, phone_number, profile_picture or any other claim. This is Defined in the OpenID Connect Standard. To the OAuth server, it's just a resource endpoint.

  1. Will typically be a GET request but should support POST (not sure why)
  2. should support CORS
  3. Should return JSON Content-Type: application/json Might need to be a JWT Content-Type: application/jwt
List of Claims:
sub: something to id the user
name
family_name
preferred_username
picture
email
birthday
zoneinfo: time zone
updated_at: last updated to the profile
Other Claims:
nonce
auth_time
at_hash: access_token hash
c_hash: authorization_code hash
acr: more research
amr: more research
sub_jwk: public key to check the signature of the id_token
3.4 Token Endpoint

Called by the Client. Client sends client_id, client_secret, and authorization_code to get an access_token, refresh_token, or id_token

Client->/token
HTTP header
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {Base64URL-encoding(clientID:clientSecret)}

Form Parameters:
grant_type: authorization_code
code: the authorization_code proved by the authorization endpoint
redirect_ur: redirect URL

Response:
Header:
Cache-Control: no-store
Pragma: no-cache
Body:
{
	expires_in: access_token expiration in seconds,
	access_token: OAuth access_token,
	token_type: access token type `Bearer`,
	refresh_token: OAuth refresh_token,
	id_token: id_token for the end user
}
3.4.4 Validations at the Token Endpoint
  • Authenticate the client
  • validate authorization_code
    • was issued to client
    • is valid
    • hasn't been used
  • validate redirect_uri matches pre-registered value
3.5 Redirect Endpoint

authorization endpoint delivers id_token, access_token, authorization_token

Ch. 4 Tokens in OpenID Connect

id_token
access_token
refresh_token
authorization_code
Two types of tokens:
Reference Tokens
  • Randomly Generated String
  • Opaque