Note - OpenID Connect

--- tags: Note --- # Note - OpenID Connect ## Method of Authentication ### 1. Use [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) **The most commonly used. This note is totally introduce this flow.** The Authorization Code Flow goes through the following steps. 1. Client prepares an Authentication Request containing the desired request parameters. 2. Client sends the request to the Authorization Server. 3. Authorization Server Authenticates the End-User. 4. Authorization Server obtains End-User Consent/Authorization. 5. Authorization Server sends the End-User back to the Client with an **Authorization Code**. 6. **Client requests a response using the Authorization Code at the Token Endpoint.** 7. **Client receives a response that contains an ID Token and Access Token in the response body.** 8. Client validates the ID token and retrieves the End-User's Subject Identifier. ![](https://i.imgur.com/5tZPZOU.png) ### 2. Use [Implicit Flow](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth) **For browser (JavaScript) based apps that don't have a backend** The Implicit Flow follows the following steps: 1. Client prepares an Authentication Request containing the desired request parameters. 2. Client sends the request to the Authorization Server. 3. Authorization Server Authenticates the End-User. 4. Authorization Server obtains End-User Consent/Authorization. 5. Authorization Server sends the End-User back to the Client with an **ID Token and, if requested, an Access Token**. 6. Client validates the ID token and retrieves the End-User's Subject Identifier. ![](https://i.imgur.com/nGMjylR.png) ### 3. Use [Hybrid Flow](https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth) **Rarely used.** ## Authorization Endpoint This is the OP server endpoint where the user is asked to authenticate and grant the client access to the user's identity (ID token) and potentially other requested details, such as email and name (called UserInfo claims). ### [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) ``` GET ``` | Field | required | description | | ----- | -------- | ----------- | | scope | Y | specify the scope of the requested authorisation in OAuth </br> set to `openid` | | response_type | Y | specify the authorization processing flow to be used </br> set to `code` to indicate an authorisation code flow. | | client_id | Y | the client identifier of the RP (Relying Party, Client) at the OP (OpenID Provider) | | redirect_uri | Y | redirection URI to which the response will be sent | | state | Recommended | maintain state between the request and the callback | | other... | ### [Authentication Response](https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse) | Field | description | | ----- | ----------- | | code | use at the token endpoint to obtain ID token | | state | must validate `state` (same as the request `state` or not) | may have [error response](https://openid.net/specs/openid-connect-core-1_0.html#AuthError) ## Token Endpoint The token endpoint lets the client exchange the code received from the authorisation endpoint for an ID token and access token. If the client is confidential it will be required to authenticate at the token endpoint. ### [Token Request](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest) ``` POST ``` | Field | required | description | | ----- | -------- | ----------- | | Authorization | Y | `Basic {client_id}:{client_secret}` </br>(Base64 encoded) - add to header | | grant_type | Y | set to `authorization_code` | | code | Y | the code obtained from Authentication Response | | redirect_uri | Y | redirection URI to which the response will be sent | may have [error response](https://openid.net/specs/openid-connect-core-1_0.html#TokenErrorResponse) ### [Token Response](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse) | Field | description | | ----- | ----------- | | id_token | a JSON Web Token (JWT) that contains identity data to get user information, **must [validate the ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation)** | access_token | use to obtain Claim about End-user| | token_type | | expires_in | ## ID Token The [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims | Field | description | | ----- | ----------- | | iss | Issuer Identifier for the Issuer of the response | | sub | Subject Identifier. A locally unique identifier within the Issuer for the End-User | | aud | Audience(s) that this ID Token is intended for. </br >MUST contain the client_id of the Relying Party as an audience value | | exp | Expiration time on or after which the ID Token not accepted for processing | | iat | Time at which the JWT was issued | | other... | ## UserInfo Endpoint The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims (user profile information) about the authenticated End-User. ### [UserInfo Request](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest) ``` GET ``` | Field | required | description | | ----- | -------- | ----------- | | Authorization | Y | `Bearer {access_token}` - add to header | ### [UserInfo Response](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse) | Field | description | | ----- | ----------- | | sub | Subject - Identifier for the End-User at the Issuer | | name | End-User's full name | | other... | [Standard Claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) | may have [error response](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError) ## Reference document 1. [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) 2. [OpenID Connect explained](https://connect2id.com/learn/openid-connect)