Show Menu
Cheatography

Open ID Connect Cheat Sheet (DRAFT) by

OAuth 2.0 & OpenID Connect

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Overview

The OpenID Connect protocol, in abstract, follows the following steps.

1. The RP (Client) sends a request to the OpenID Provider (OP).
2. The OP authen­ticates the End-User and obtains author­iza­tion.
3. The OP responds with an ID Token and usually an Access Token.
4. The RP can send a request with the Access Token to the UserInfo Endpoint.
5. The UserInfo Endpoint returns Claims about the End-User.

ID Token

iss: issuer.
sub: subject.
aud: audience.
exp: expiration time.
iat: Time at which the JWT was issued.
auth_time: authen­tic­ation time.
nonce: String value used to associate a Client session with an ID Token.
acr: Authen­tic­ation Context Class Reference.

Response Types

code
Author­ization Code Flow
id_token
Implicit Flow
id_token token
Implicit Flow
code id_token
Hybrid Flow
code token
Hybrid Flow
code id_token token
Hybrid Flow

Display Types

page
popup
touch
wap

Prompt types

none
login
consent
select­_ac­count
 

Author­ization Code Flow

The Author­ization Code Flow goes through the following steps.

Client prepares an Authen­tic­ation Request containing the desired request parame­ters.
1. Client sends the request to the Author­ization Server.
2. Author­ization Server Authen­ticates the End-User.
3. Author­ization Server obtains End-User Consen­t/A­uth­ori­zation.
4. Author­ization Server sends the End-User back to the Client with an 5.
5. Author­ization Code.
6.Client requests a response using the Author­ization Code at the Token Endpoint.
7. Client receives a response that contains an ID Token and Access Token in the response body.
8. Client validates the ID token and retrieves the End-User's Subject Identi­fier.

Authen­tic­ation Request

scope: scope values.
respon­se_­type: author­ization processing flow to be used.
client_id: valid client id.
redire­ct_­uri:** Redire­ction URI to which the response will be sent.
state: used to maintain state between the request and the callback.
nonce: String value used to associate a Client session with an ID Token.
display: display interface page (page, popup, touch, wap).
prompt: reauth­ent­ication and consent prompts (none, login, consent, select­_ac­ount).

Successful Authen­tic­ation Response

Access Token Request

POST /token HTTP/1.1
Host: server.ex­amp­le.com
Conten­t-Type: applic­ati­on/­x-w­ww-­for­m-u­rle­ncoded
Author­iza­tion: Basic czZCaG­RSa­3F0­Mzp­nWD­FmQ­mF0M2JW

grant_­typ­e=a­uth­ori­zat­ion­_co­de&co­de=­Spl­xlO­BeZ­QQY­bYS­6Wx­SbI­A&­red­ire­ct_­uri­=ht­tps­%3A­%2F­%2F­cli­ent.ex­amp­le.o­rg­%2Fcb

Access Token Response

access­_token: OAuth 2.0 access token.
token_­type: token_type value.
refres­h_t­oken: token to refresh author­iza­tion.
expire­s_in: expiration time of the Access Token.
id_token: ID Token.
 

Implicit Flow Overview

The Implicit Flow follows the following steps:

1. Client prepares an Authen­tic­ation Request containing the desired request parame­ters.
2. Client sends the request to the Author­ization Server.
3. Author­ization Server Authen­ticates the End-User.
4. Author­ization Server obtains End-User Consen­t/A­uth­ori­zation.
5.Auth­ori­zation Server sends the End-User back to the Client with an ID Token and, if requested, an Access Token.
6. Client validates the ID token and retrieves the End-User's Subject Identi­fier.

Authen­tic­ation Request

respon­se_­type: value is id_token token or id_token.
redire­ct_uri: Redire­ction URI to which the response will be sent.
nonce: String value used to associate a Client session with an ID Token.