3.9 KiB
Ch. 2
Ch. 3 OpenId Connect Endpoints
3.1 Authorization Endpoint
- displays authentication and consent screen
- returns
authorization_codeSee ch. 5 - client initiates the call to the authorization endpoint
3.1.2 input parameters with examples
scope: openid profile email address phone
response_type: code (backend flow) || id_token token (frontend flow) || code id_token (hybrid)
client_id: id of the client
redirect_uri: redirect url
state: cross-site scripting protection
nonce: required for implict flow (frontend flow)
Optional Params: (more research on each)
claims:
display:
prompt:
max_age: maximum lifetime of the token in seconds after which the user must re-authenticate
ui_locales:
id_token_hint:
login_hint:
acr_values:
3.1.3 Output
Sends authentication and access delegation (authorization) tokens to redirect endpoint. Token/s are sent as an HTTP 302 redirect.
Ch 3.2 Resource Endpoint
Managed by the resource provider. Serves protected resources to authorized parties. valid OAuth access_token required
Ch 3.3 Userinfo Endpoint
This is a resource endpoint /userinfo that serves profile information of the authenticated end-user.
This endpoint returns a list of claims like DOB, name, email, phone_number, profile_picture or any other claim.
This is Defined in the OpenID Connect Standard.
To the OAuth server, it's just a resource endpoint.
- Will typically be a GET request but should support POST (not sure why)
- should support CORS
- Should return JSON
Content-Type: application/jsonMight need to be a JWTContent-Type: application/jwt
List of Claims:
sub: something to id the user
name
family_name
preferred_username
picture
email
birthday
zoneinfo: time zone
updated_at: last updated to the profile
Other Claims:
nonce
auth_time
at_hash: access_token hash
c_hash: authorization_code hash
acr: more research
amr: more research
sub_jwk: public key to check the signature of the id_token
3.4 Token Endpoint
Called by the Client. Client sends client_id, client_secret, and authorization_code to get an access_token, refresh_token, or id_token
Client->/token
HTTP header
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {Base64URL-encoding(clientID:clientSecret)}
Form Parameters:
grant_type: authorization_code
code: the authorization_code proved by the authorization endpoint
redirect_ur: redirect URL
Response:
Header:
Cache-Control: no-store
Pragma: no-cache
Body:
{
expires_in: access_token expiration in seconds,
access_token: OAuth access_token,
token_type: access token type `Bearer`,
refresh_token: OAuth refresh_token,
id_token: id_token for the end user
}
3.4.4 Validations at the Token Endpoint
- Authenticate the client
- validate authorization_code
- was issued to client
- is valid
- hasn't been used
- validate redirect_uri matches pre-registered value
3.5 Redirect Endpoint
authorization endpoint delivers id_token, access_token, authorization_token
Ch. 4 Tokens in OpenID Connect
id_token
access_token
refresh_token
authorization_code
Two types of tokens:
**Reference Tokens
- Randomly Generated String
- Opaque
**Value Token
- Contain things like claims ie JWT
4.2 Access Token
- typically reference tokens
- holder has access rights to Resource Provider
- short lived token
- bearer token
- id_token typically bound to the access token what the
at_hashclaim
4.3 Refresh Token
- long lived token
- used to request new id_token and access_token
- not available with implicit flow
4.4 Authorization Code
- very short lived token
- only give after authentication and consent
- only used to request an
access_token(I think the book means refresh_token but access_token and id_tokens can be sent too)
4.5 ID Token
- Contains claims
- is a value token
- is a JWT, JWE, or JWS