notes/archive/OpenID Connect Passport Notes.md

## Ch. 2

## Ch. 3 OpenId Connect Endpoints
##### 3.1 Authorization Endpoint
- displays authentication and consent screen
- returns `authorization_code` See ch. 5
- client initiates the call to the authorization endpoint
###### 3.1.2 input parameters with examples
```
scope: openid profile email address phone
response_type: code (backend flow) || id_token token (frontend flow) || code id_token (hybrid)
client_id: id of the client
redirect_uri: redirect url
state: cross-site scripting protection
nonce: required for implict flow (frontend flow)
Optional Params: (more research on each)
claims:
display:
prompt:
max_age: maximum lifetime of the token in seconds after which the user must re-authenticate
ui_locales: 
id_token_hint:
login_hint:
acr_values:
```

###### 3.1.3 Output
Sends authentication and access delegation (authorization) tokens to redirect endpoint. Token/s are sent as an HTTP 302 redirect.

##### Ch 3.2 Resource Endpoint
Managed by the resource provider. Serves protected resources to authorized parties.  valid OAuth `access_token` required

##### Ch 3.3 Userinfo Endpoint
This is a resource endpoint `/userinfo` that serves profile information of the authenticated end-user.
This endpoint returns a list of claims like DOB, name, email, phone_number, profile_picture or any other claim.
This is Defined in the OpenID Connect Standard.
To the OAuth server, it's just a resource endpoint. 
1) Will typically be a GET request but should support POST (not sure why)
2) should support CORS
3) Should return JSON `Content-Type: application/json` Might need to be a JWT `Content-Type: application/jwt`
```
List of Claims:
sub: something to id the user
name
family_name
preferred_username
picture
email
birthday
zoneinfo: time zone
updated_at: last updated to the profile
Other Claims:
nonce
auth_time
at_hash: access_token hash
c_hash: authorization_code hash
acr: more research
amr: more research
sub_jwk: public key to check the signature of the id_token
```

##### 3.4 Token Endpoint
Called by the Client.
Client sends client_id, client_secret, and authorization_code to get an access_token, refresh_token, or id_token

```
Client->/token
HTTP header
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {Base64URL-encoding(clientID:clientSecret)}

Form Parameters:
grant_type: authorization_code
code: the authorization_code proved by the authorization endpoint
redirect_ur: redirect URL

Response:
Header:
Cache-Control: no-store
Pragma: no-cache
Body:
{
	expires_in: access_token expiration in seconds,
	access_token: OAuth access_token,
	token_type: access token type `Bearer`,
	refresh_token: OAuth refresh_token,
	id_token: id_token for the end user
}
```
###### 3.4.4 Validations at the Token Endpoint
- Authenticate the client
- validate authorization_code
	- was issued to client
	- is valid
	- hasn't been used
- validate redirect_uri matches pre-registered value
##### 3.5 Redirect Endpoint
authorization endpoint delivers `id_token, access_token, authorization_token`

## Ch. 4 Tokens in OpenID Connect

```
id_token
access_token
refresh_token
authorization_code
```

##### Two types of tokens:

**Reference Tokens 
- Randomly Generated String
- Opaque
 
 **Value Token
 - Contain things like claims ie JWT
##### 4.2 Access Token
- typically reference tokens
- holder has access rights to Resource Provider
- short lived token
- bearer token
- id_token typically bound to the access token what the `at_hash` claim

##### 4.3 Refresh Token
- long lived token
- used to request new id_token and access_token
- not available with implicit flow
##### 4.4 Authorization Code
- very short lived token
- only give after authentication and consent
- only used to request an `access_token` (I think the book means refresh_token but access_token and id_tokens can be sent too)
##### 4.5 ID Token
- Contains claims 
- is a value token
- is a JWT, JWE, or JWS
## Ch. 5 OpenID Connect Flows

## ChatGPT flow:
https://chatgpt.com/c/677a04ed-58cc-8009-b191-be8164bc4946