### This notebook is a full and complete annotation of the Open ID Connect Specification. Most of the markdown content is from the [OpenID Connect Core Specification](https://openid.net/specs/openid-connect-core-1_0.html). Their full website is at [OpenID](https://openid.net)

### Beneath many of the markdown cells are code cells, which delineate my understanding of the specification so that I can properly implement an OpenID Connect Compliant Provider.

### The notebook code cells are written in [GO](https://go.dev/?gclid=Cj0KCQiAqbyNBhC2ARIsALDwAsDjBsY6kg4nh8UphlZHtyUF3fb2Bkg5TJuusgFkSu1Byei0dKnlDr8aAsUeEALw_wcB)
### Go is not a standard language that comes with Jupyter Notebooks, so I suggest that you either run it inside of [docker](https://www.docker.com/?utm_source=google&utm_medium=cpc&utm_campaign=dockerhomepage&utm_content=namer&utm_term=dockerhomepage&utm_budget=growth&gclid=Cj0KCQiAqbyNBhC2ARIsALDwAsAaxqcncR-2cHjrZ0Y5jp3jf1g6ZECc1QKN1ZUNSgbDKk3vWhLHg-0aAoVFEALw_wcB) like so (mapping the volumes to a folder on your local machine):

    $ docker run -it -p 8888:8888 -v /path/to/local/notebooks:/path/to/notebooks/in/docker gopherdata/gophernotes:latest-ds

### or, install it on your local machine like so: (I'm on MacOS)

    $ env GO111MODULE=on go get github.com/gopherdata/gophernotes
    $ mkdir -p ~/.local/share/jupyter/kernels/gophernotes
    $ cd ~/.local/share/jupyter/kernels/gophernotes
    $ cp "$(go env GOPATH)"/pkg/mod/github.com/gopherdata/gophernotes@v0.7.2/kernel/*  "."
    $ chmod +w ./kernel.json # in case copied kernel.json has no write permission
    $ sed "s|gophernotes|$(go env GOPATH)/bin/gophernotes|" < kernel.json.in > kernel.json


# Open ID Connect Specification

### 1 Introduction

The OpenID Conenct 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based
on the authentication performed by an Authorization server, as well as to obtain basic profile information about the End-User in an interoperable
and REST-like manner.

The OpenID Connect Core 1.0 specification defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of
Claims to communicate information about the End-User. It also describes the security and privacy considerations for using OpenID Connect.

As a background, the OAuth 2.0 Authorization framework and OAuth 2.0 Bearer Token Usage specifications provide a general framework for third-party
applications to obtain and use limited access to HTTP resources. They define mechanisms to obtain and use Access Tokens to access resources but do
not define standard methods to provide identity information. Notably, without profiling OAuth 2.0, it is incapable of providing information about
the authentication of an End-User. Readers are expected to be familiar with these specifications.

OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. Use of this extension is requested by clients by
including the `openid` scope value in the Authorization Request. Information about the authentication performed is returned in a JSON Web Token
(JWT) called an ID Token. OAuth 2.0 Authentication Servers implementing OpenID Connect are also referred to as OpenID Providers (OPs). OAuth 2.0
Clients using OpenID Connect are also referred to as Relying Parties (RPs). 

This specification assumes that the Relying Party has already obtained configuration information about the OpenID Provider, including its 
Authorization Endpoint and Token Endpoint locations. This information is normally obtained via Discovery, as described in OpenID Connect Discovery
1.0, or may be obtained via other mechanisms. 

### 1.1 Conventions and Notation

All uses of the JSON Web Signature (JWS) and JSON Web Encryption (JWE) data structures in this specification utilize the JWS Compact Serialization
or the JWE Compact Serialization. The JWS JSON Serialization and the JWE JSON Serialization are not used.

### 1.2 Terminology

This specification also defines the following terms:

- Authentication:
  Process used to achieve sufficient confidence in the binding between the Entity and the presented Identity.

- Authentication Request:
  OAuth 2.0 Authorization Request using extension parameters and scopes defined by OpenID Connect to request that the End-User be authenticated by
  the Authorization Server, which is an OpenID Connect Provider, to the Client, which is an OpenID Connect Relying Party. 

- Authentication Context:
  Information that the Relying Party can require before it makes an entitlement decision with respect to an authentication response. Such context
  can include, but is not limited to, the actual authentication method used or level of assurance such as ISO/IEC 29115 entity authentication 
  assurance level. 

- Authentication Context Class
  Set of authentication methods or procedures that are considered to be equivalent to each other in a particular context. 

- Authentication Context Class Reference
  Identifier for an Authentication Context Class.

- Authorization Code Flow
  OAuth 2.0 flow in which an Authorization Code is returned from the Authorization Endpoint and all tokens are returned from the Token Endpoint.

- Authorization Request
  OAuth 2.0 Authorization Request

- Claim
  Piece of information asserted about an Entity.

- Claim Type
  Syntax used for representing a Claim Value. This specification defines Normal, Aggregated, and Distributed Claim Types.

- Claim Provider
  Server that returns claims about an entity

- Credential
  Data presented as evidence of the right to use an identity or other resources.

- End-User
  Human participant

- Entity
  Something that has a separate an distinct existence and that can be identified in a context. An End-User is one example of an Entity.

- Essential Claim
  Claim specified by the Client as being necessary to ensure a smooth authorization experience for the specific task requested by the End-User.

- Hybrid Flow
  OAuth 2.0 flow in which an Authorization Code is returned from the Authorization Endpoint, some tokens are returned from the Authorization
  Endpoint, and others are returned from the Token Endpoint.

- ID Token
  JSON Web Token (JWT) that contains Claims about the Authentication event. It MAY contain other Claims.

- Identifier
  Value that uniquely characterizes an Entity in a specific context.

- Identity
  Set of attributes related to an Entity.

- Implicit Flow
  OAuth 2.0 flow in which all tokens are returned from the Authorization Endpoint and neither the Token Endpoint nor an Authorization Code are
  used.

- Issuer
  Entity that issues a set of claims

- Issuer Identifier
  Verifiable Identifier for an Issuer. An Issuer Identifier is a case sensitive URL using the https scheme that contains scheme, host, and 
  optionally, port number and path components and no query or fragment components.

- Message
  Request or a response between an OpenID Relying Party and an OpenID Provider.

- OpenID Provider (OP)
  OAuth 2.0 Authorization Server that is capable of Authenticating the End-User and providing Claims to a Relying Party about the Authentication
  event and the End-User.

- Request Object
  JWT that contains a set of request parameters as its Claims.

- Request URI
  URL that references a resource containing a Request Object. The Request URI contents MUST be retrievable by the Authorization Server.

- Pairwise Pseudonymous Identifier (PPID)
  Identifier that identifies the Entity to a Relying Party that cannot be correlated with the Entity's PPID at another Relying Party.

- Personally Identifiable Information (PII)
  Information that (a) can be used to identify the natural person to whom such information relates, or (b) is or might be directly or indirectly
  linked to a natural person to whom such information relates.

- Relying Party (RP)
  OAuth 2.0 Client application requiring End-User Authentication and Claims from an OpenID Provider.

- Sector Identifier
  Host component of a URL used by the Relying Party's organization that is an input to the computation of pairwise Subject Identifier for that
  Relying Party.

- Self-Issued OpenID Provider
  Personal, self-hosted OpenID Provider that issues self-signed ID Tokens.

- Subject Identifier
  Locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client

- UserInfo Endpoint
  Protected Resource that, when presented with an Access Token by the Client, returns authorized information about the End-User represented by
  the corresponding Authorization Grant. The UserInfo Endpoint URL MUST use the `https` scheme and MAY contain port, path, and query
  parameter components.

- Validation
  Process intended to establish the soundness or correctness of a construct.

- Verification
  Process intended to test or prove the truth or accuracy of a fact or value.

- Voluntary Claim
  Claim specified by the Client as being useful but not Essential for the specific task requested by the End-User.

### 1.3 Overview

The OpenID Connect protocol, in abstract, follows the following steps:

1. The RP (Client) sends a request to the OpenID Provider (OP)
2. The OP authenticates the End-User and obtains authorization
3. The OP responds with an ID Token and usually an Access Token
4. The RP can send a request with the Access Token to the UserInfo Endpoint.
5. The UserInfo Endpoint returns claims about the End-User.

### 2 ID Token

The primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated is the ID Token data structure. The ID Token
is a security token that contains Claims about the Authentication of the End-User by an Authorization Server when using a Client, and potentially
other requested Claims. The ID Token is represented as a JSON Web Token (JWT).

The following Claims are used within the ID Token for all OAuth 2.0 flows used by OpenID Connect"

- iss: REQUIRED. Issuer Identifier for the Issuer of the response. The `iss` value is a case-sensitive URL using the https scheme that contains
  scheme, host, and optionally, port number and path components and no query or fragment components.

- sub: REQUIRED. Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be
  consumed by the Client, e.g. `235816350` or `ASga23y28ghv232`. It MUST NOT exceed 255 ASCII characters in length. The sub value is a case
  sensitive string.

- aud: REQUIRED. Audiences that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.
  It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common
  special case where there is one audience, the `aud` value MAY be a single, case sensitive string.

- iat: REQUIRED. Time at which the JWT was issued. Its value is a JSON Number representing the number of seconds from `1970-01-01T0:0:0Z` as 
  measured in UTC until the date/time. 

- auth_time: Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 
  `1970-01-01T0:0:0Z` as measured in URC until the date/time. When a max_age request is made or when auth_time is requested as an Essential
  Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. (The `auth_time` Claim semantically corresponds to the OpenID 2.0
  PAPE auth_time response parameter).

- nonce: String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified
  from the Authentication Request to the ID Token. If present in the ID token, Clients MUST verify that the nonce Claim Value is equal to the 
  value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a
  `nonce` claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD'
  perform no other processing on `nonce` values used. The `nonce` value is a case sensitive string.

- acr: OPTIONAL. Authentication Context Class Reference. String specifying an Authentication Context Class Reference Value that identifies the
  Authentication Context Class that the authentication performed satisfied. The value "0" indicates the End-User authentication did not meet the
  requirements of ISO/IEC 29115 level 1. Authentication using a long-lived browser cookie, for instance, is once example where the use of "level 0"
  is appropriate. Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value. (This corresponds
  to the OpenID 2.0 PAPE `nist_auth_level` 0). An absulte URI or a RFC6711 registered name Should be used as the `acr` value; registered names
  MUST NOT be used with a different meaning than that which is registered. Parties using this claim will need to agree upon the meanings of the
  values used, which may be context-specific. The `acr` value is a case sensitive string.

- amr: OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication.
  For instance, values might indicate that both password and OTP authentication were used. The definition of particular values to be used in the
  `amr` Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meaning of the values used, which 
  may be context specific. The `amr` value is an array of case-sensitive strings.

- azp: OPTIONAL. Authorized Party. The party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party.
  This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be 
  included even when the authorized party is the same as the sole audience. The `azp` value is a case sensitive string containing a StringOrURI
  value.

ID Tokens MAY contain other Claims. Any Claims used that are not understood MUST be ignored. See Sections 3.1, 3.6, 3.3.2.11, 5.1, and 7.4 for
additional claims defined by this specification.

ID Tokens MUST be signed using JWS and optionally both signed and then encrypted using JWS and JWE respectively, thereby providing authentication,
integrity, non-repudiation, and optionally, confidentiality, per Section 16.14. If the ID Token is encrypted, it MUST be signed then encrypted, with
the result being a Nested JWT. ID Tokens MUST NOT use `none` as the `alg` value unless the Response Type used returns no ID Token from the
Authorization Endpoint (such as when using the Authorization Code Flow) and the Client explicitly requested the use of `none` at Registration time.

ID Tokens SHOULD NOT use the JWS or JWE `x5u`, `x5c`, `jku`, or `jwk` Header Parameter fields. Instead, references to keys used are communicated in
advance using Discovery and Registration Parameters, per Section 10.

The following is a non=normative example of the set of Claims (the JWT Claims Set) in an ID Token:

    { 
    "iss": "https://server.example.com",
    "sub": "24400320",
    "aud": "s6BhdRkqt3",
    "nonce": "n-0S6_WzA2Mj",
    "exp": 1311281970,
    "iat": 1311280970,
    "auth_time": 1311280969,
    "acr": "urn:mace:incommon:iap:silver"
    }
  

In [49]:
//* Signing and encrypting an OpenID Connect ID Token

import (
	"fmt"
	"log"
	"time"
	"io/ioutil"
	"encoding/hex"

	"github.com/dgrijalva/jwt-go"
	"github.com/google/uuid"
)

ClientId := "my-client" //Just a test. This will be generated by the OP in production.

type IdToken struct {
	Iss                    string      `json:"iss"`
	Aud 				   interface{} `json:"aud"`
	Iat					   int64       `json:"iat"`
	AuthTime			   int64       `json:"auth_time"`
	Nonce				   string      `json:"nonce"`
	Acr					   string      `json:"acr,omitempty"`
	Amr					   string      `json:"amr,omitempty"`
	Azp					   string      `json:"azp,omitempty"`
	Sub					   string      `json:"sub"`
	Exp					   int64       `json:"exp"`
}

type Jwt struct {
	privateKey []byte
	publicKey  []byte
}

// Google's UUID type is a 128 bit (16 bytes) slice according to RFC 4122.
func createNonce() (string, error) {
	nonce, err := uuid.NewRandom()
	if err != nil {
		return "", fmt.Errorf("failed to create nonce: %v", err)
	}
	return hex.EncodeToString(nonce[:]), nil
}

func NewJwt (privateKey, publicKey []byte) *Jwt {
	return &Jwt{privateKey, publicKey}
}

func (j *Jwt) Create(ttl time.Duration) (string, error) {
	key, err := jwt.ParseRSAPrivateKeyFromPEM(j.privateKey)
	if err != nil {
		return "", fmt.Errorf("failed to parse private key: %v", err)
	}
	nonce, err := createNonce()
	if err != nil {
		return "", fmt.Errorf("failed to create nonce: %v", err)
	}
	claims := make(jwt.MapClaims)
	claims["exp"] = time.Now().Add(24*time.Hour).Unix()
	claims["iat"] = time.Now().Unix()
	claims["auth_time"] = time.Now().Unix()
	claims["iss"] = "https://exampleop.com" // openid-provider
	claims["aud"] = ClientId
	claims["nonce"] = nonce
	claims["sub"] = "1234567890" // user id. Will be the primary key in DB in production.
	claims["acr"] = "0" // 0 = public client
	claims["amr"] = "password"
	claims["azp"] = ClientId
	token, err := jwt.NewWithClaims(jwt.SigningMethodRS256, claims).SignedString(key)
	return token, nil
}

func (j Jwt) Validate(token string) (interface{}, error) {
	key, err := jwt.ParseRSAPublicKeyFromPEM(j.publicKey)
	if err != nil {
		return nil, fmt.Errorf("failed to parse public key: %v", err)
	}
	res, err := jwt.Parse(token, func(jwtToken *jwt.Token)(interface{}, error){
		if _, ok := jwtToken.Method.(*jwt.SigningMethodRSA); !ok {
			return nil, fmt.Errorf("unexpected signing method: %v", jwtToken.Header["alg"])
		}
		return key, nil
	})
	if err != nil {
		return nil, fmt.Errorf("failed to parse token: %v", err)
	}

	claims, ok := res.Claims.(jwt.MapClaims)
	if !ok || !res.Valid {
		return nil, fmt.Errorf("invalid token")
	}
	return claims, nil
}

func signAndEncryptToken() {
	privateKey, err := ioutil.ReadFile("private-key.pem")
	if err != nil {
		log.Fatalln(err)
	}

	publicKey, err := ioutil.ReadFile("public-key.pem")
	if err != nil {
		log.Fatalln(err)
	}
	jwtToken := NewJwt(privateKey, publicKey)

	token, err := jwtToken.Create(time.Hour)

	if err != nil {
		log.Fatalln(err)
	}
	fmt.Println("Token:", token)
	fmt.Println("------------------------------------------------------")
	content, err := jwtToken.Validate(token)
	if err != nil {
		log.Fatalln(err)
	}
	fmt.Println("Content:", content)
}

signAndEncryptToken()

Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY3IiOiIwIiwiYW1yIjoicGFzc3dvcmQiLCJhdWQiOiJteS1jbGllbnQiLCJhdXRoX3RpbWUiOjE2Mzg4ODkwNzAsImF6cCI6Im15LWNsaWVudCIsImV4cCI6MTYzODk3NTQ3MCwiaWF0IjoxNjM4ODg5MDcwLCJpc3MiOiJodHRwczovL2V4YW1wbGVvcC5jb20iLCJub25jZSI6IjIwN2RjMDM1NTZlYTQ0M2JiNGQzMjk4OGEzMDFjNzVjIiwic3ViIjoiMTIzNDU2Nzg5MCJ9.bZxhXr_meE4UG72-40gbTTMwmMOhKq8h8anHJdj5TlAR1qQtMwiZePcsalDgVVoqblDZdEJO0saN0mvETnSuo6TWQMwdSF3xbkBZexCdm5nin5T9gcKr0SNJpP8MFoTeOutWRkVu8KSeWhrnSiSTJLz5i4ynI9jSsSSP43kuOiKOyiVN66fNnJCdpl6IvCODSnnH1pPu7IpRtYVyDtz2OjkKBRl17dwsVQI_vHoaxPaPaA88z-LGanoYGWfc-um-JtbnAURUKsngzAgnF4SLklAewXSVYBLq2FSS_tXHali59_0wuy5fbjiYf-CI97YKaIywBE4USUky2wAEspxksrp5gMgIPGI9bzHQpoAknM7RIyUJlUsR6fuWt7oYusCBPUcnr8Te7V1-k6GO9ake82nl1SRE8a5u_VfxtMXfTRnnnXhwQcQS3LMFx5-aFMhpauiRPF7TFFWGPjZBptwSndQBVs_QmONJZW_VmrvbOlCLQA9YCG8bkox4kMLhB_4p4mHVXLILzO25YSB8Ip6g9luVHE9hoLyIg1n7bJ5KAzq0-WeTScOAZkmvPL9GzCECIE-Nei6FLxVrXZ5PnBUFrFE4k8buKbxPh9EA0l8PPDqIuTYAHRsXx5o1vu-oNgPJDUeRrF37MT9_8t-Doodb4jelWUdaW7P

### 3 Authentication

Open ID Connect performs authentication to log in the End-User or to determine that the End-User is already logged in. OpenID Connect returns the
result of the Authentication performed by the Server to the Client in a secure manner so that the Client can rely on it. For this reason, the 
Client is called Relying Party (RP) in this case. 

The authentication result is returned in an ID Token, as defined in Section 2. It has Claims expressing such information as the Issuer, the Subject
Identifier, when the authentication expires, etx.

Authentication can follow one of three paths: the Authorization Code Flow (`response_type=code`), the Implicit Flow (`response_type=id_token token`
or `response_type=id_token`), or the Hybrid Flow (using other Response Type values defined in OAuth 2.0 Multiple Response Type Encoding Practices).
The flows determine how the ID Token and Access Token are returned to the Client.

The characteristics of the three flows are summarized in the following non-normative table. The table is intended to provide some guidance on 
which flow to choose in particular contexts.

| Property | Authorization Code Flow | Implicit Flow | Hybrid Flow |
|----------|-------------------------|---------------|-------------|
| All tokens returned from Authorization Endpoint | no | yes | no |
| All tokens returned from Token Endpoint | yes | no | no |
| Tokens not revealed to User Agent | yes | no | no |
| Client can be authenticated | yes | no | no |
| Refresh Token possible | yes | no | yes |
| Communication in one round trip | no | yes | no |
Most communication server-to-server | yes | no | varies |

The flow used is determined by the `response_type` value contained in the Authorization Request. These `response_type` values select these flows:

| "response_type" value | Flow |
|-----------------------|------|
| `code` | Authorization Code Flow |
| `id_token` | Implicit Flow |
| `id_token token` | Implicit Flow |
| `code id_token` | Hybrid Flow |
| `code token` | Hybrid Flow |
| `code id_token token` | Hybrid Flow |

All but the `code` Response Type value, which is defined by OAuth 2.0 are defined in the OAuth 2.0 Multiple Response Type Encoding Practices
specification. NOTE: While OAuth 2.0 also defines the `token` Response Type value for the Implicit Flow, OpenID Connect does not use this 
Response Type, since no ID Token would be returned.

### 3.1 Authentication using the Authorization Code Flow

This section describes how to perform authentication using the Authorization Code Flow. When using the Authorization Code Flow, all tokens are 
returned from the Token Endpoint.

The Authorization Code Flow returns an Authorization Code to the Client, which can then exchange it for an ID Token and an Access Token directly.
This provides the benefit of not exposing any tokens to the User Agent and possibly other malicious applications with access to the User-Agent. The
Authorization Server can also authenticate the Client before exchanging the Authorization Code for an Access Token. The Authorization Code flow
is suitable for Clients that can securely maintain a Client Secret between themselves and the Authorization Server.

### 3.1.1. Authorization Code Flow Steps

The authorization Code Flow goes through the following steps:

1. Client prepares an Authentication Request containing the desired request parameters.
2. Client sends the request to the Authorization Server.
3. Authorization Server Authenticates the End-User.
4. Authorization Server obtains End-User Consent/Authorization.
5. Authorization Server sends the End-User back to the Client with an Authorization Code.
6. Client requests a response using the Authorization Code at the Token Endpoint.
7. Client receives a response that contains an ID Token and Access Token in the response body.
8. Client validates the ID token and retrieves the End-User's Subject Identifier.

### 3.1.2 Authorization Endpoint

The Authorization Endpoint performs Authentication of the End-User. This is done by sending the User Agent to the Authorization Server's
Authorization endpoint for Authentication and Authorization, using request parameters defined by OAuth 2.0 and additional parameters and parameter
values defined by OpenID Connect.

Communication with the Authorization Endpoint MUST utilize TLS. See Section 16.17 for more information on using TLS.

### 3.1.2.1 Authentication Request

An Authentication Request is and OAuth 2.0 Authorization Request that requests that the End-User be authenticated by the Authorization Server.
Authorization Servers MUST support the use of the HTTP `GET` and `POST` methods defined in RFC2616 at the Authorization Endpoint. Clients MAY use
the HTTP `GET` or `POST` methods to send the Authorization Request to the Authorization Server. If using the HTTP `GET` method, the request 
parameters are serialized using URI QueryString Serializing, per Section 13.1. If using the HTTP `POST` method, the request parameters are
serialized using Form Serialization, per Section 13.2.

OpenID Connect uses the following OAuth 2.0 request parameters with the Authorization Code Flow:

1. scope: REQUIRED. OpenID Connect requests MUST contain the `openid` scope value. If the `openid` scope value is not present, the behavior is
   entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored. See
   Sections 5.4 and 11 for additional scope values defined by this specification.

2. response_type: REQUIRED. OAuth 2.0 Response Type value that determies the authorization processing flow to be used, including what parameters
   are returned from the endpoints used. When using the Authorization Code Flow, this value is `code`. 

3. client_id: REQUIRED. OAuth 2.0 Client Identifier valid at the Authorization Server.

4. redirect_uri: REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for
   the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of RFC3986 (Simple String
   Comparison). When using this flow, the Redirection URI SHOULD use the `https` scheme; however, it MAY use the `http` scheme, provided that the
   Client Type is `confidential`, as defined in Section 2.1 of OAuth 2.0 and provided the OP allows the use of `http` Redirection URIs in this
   case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback to a native application.

5. state: RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery, (CSRF,
   XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.

OpenID Connect also uses the following OAuth 2.0 request parameter, which is defined in OAuth 2.0 Multiple Response Type Encoding Practices.

- response_mode:
  OPTIONAL. Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint. This use of
  this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type.

This specification also defines the following response parameters:

1. nonce: OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through
   unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the `nonce` values used to prevent attackers
   from guessing values. For implementation notes, see Section 15.5.2.

2. display: OPTIONAL. ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages
   to the End-User. The defined values are:
   - page: The authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display
     parameter is not specified,  this is the default display mode.
   - popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User
     Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping over.
   - touch: The Authorization Server SHOULD display the authentication and consent UI with a device that leverages a touch interface.
   - wap: The Authorization SHOULD display the authentication and consent UI consistent with a "feature phone" type display.

The Authorization Server MAY also attempt to detect the capabilites of the User Agent and present an appropriate display.

3. prompt: OPTIONAL. Space delimited, case sensitive list of ASCII string alues that specifies whether the Authorization Server prompts the 
   End-User for reauthentication and consent. The defined values are:
   - none: The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is
     not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions
     for processing the request. The error code will typically be `login_required`, `interaction_required` or another code defined in Section
     3.1.2.6. This can be used as a method to check for existing authentication and/or consent.
   - login: The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an
     error, typically `login_required`.
   - consent: The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain 
     consent, it MUST return an error, typically `consent_required`.
   - select_account
     The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the
     Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account 
     selection choice made by the End-User, it MUST return an error, typically `account_selection_required`.

The prompt parameter can be used by the Client to make sure that the End-User is still present for the current session or to bring attention to the
request. If this parameter contains `none` with any other value, an error is returned.

4. max_age: OPTIONAL. Maximum Authentication Age. Specifies the alloable elapsed time in seconds since the last time the End-User was actively
   authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The
   `max_age` request parameter corresponds to the OpenID 2.0 PAPE `max_auth_age` request parameter). When `max_age` is used, the ID token MUST
   include an `auth_time` Claim Value.
  
5. ui_locales: End-User's preferred languages and scripts for the user interfaces, represented as a space-separated list of BCP47 language tag
   values, ordered by preference. For instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (
   without a region designation) followed by English (without a region designation). An error SHOULD NOT result if some or all of the locales
   are not supported by the OpenID Provider.

6. id_token_hint: OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past
   authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the 
   Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as `login_required`. When possible, an 
   `id_token_hint` SHOULD be present when `prompt=none` is used and an `invalid_request` error MAY be returned if it is not; however, the server
   SHOULD respond successfully when possible, even if not present. The authorization Server need not be listed as an audience of the ID Token when
   it is used as an `id_token_hint` value. 
   If the ID Token received by the RP from the OP is encrypted, to use it as an `id_token_hint`, the Client MUST decrypt the signed ID Token
   contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication server using a key that enables
   the server to decrypt the ID token, and use the re-enrypted ID Token as the `id_token_hint` value.

7. login_hint: OPTIONAL. Hint to the Authoriation Server about the login identifier the End-User might use to log in (if necessary). This hint can
   be used by an RP if it first asks the End-User for their email address (or other identifier) and then wants to pass that value as a hint to the
   discovered authoriation service. It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone number
   in the format specified for the `phone_number` Claim. The use of this parameter is left to the OP's discretion.

8. acr_values: OPTIONAL. Request Authentication Context Class Reference values. Space-separated string that specifies the `acr` values that the 
   Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.
   The Authentication Context Class satisfied by the authentication performed is returned as the `acr` Claim Value, as specified in Section 2. The
   `acr` Claim is requested as a Voluntary Claim by this parameter. 

Other parameters MAY be sent. See Sections 3.2.2, 3.3.2, 5.2, 7, and 7.2.1 for additional Authorization Request parameters and parameter values
defined by this specification.

The following is a non-normative example HTTP 302 redirect response by the Client, which triggers the User-Agent to make an Authentication Request
to the Authorization Endpoint (with line wraps within values for display purposes only):


     HTTP/1.1 302 Found
     Location: https://server.example.com/authorize?
     response_type=code
     &scope=openid%20profile%20email
     &client_id=s6BhdRkqt3
     &state=af0ifjsldkj
     &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

The following is the non-normative example request that would be sent by the User Agent to the Authorization Server in response to the HTTP 302
redirect response by the Client above (with linew wraps for display purposes only):


     GET /authorize?
     response_type=code
     &scope=openid%20profile%20email
     &client_id=s6BhdRkqt3
     &state=af0ifjsldkj
     &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1
     Host: server.example.com

In [None]:
//* OAuthParams struct type in Go for future reference

type OAuthParams struct {
	ClientId     string `json:"client_id"`
	ResponseType string `json:"response_type"`
	RedirectUri  string `json:"redirect_uri"`
	Scope        string `json:"scope"`
	State        string `json:"state"`
	ResponseMode string `json:"response_mode,omitempty"`
	Nonce        string `json:"nonce,omitempty"`
	Display      string `json:"display,omitempty"`
}

### 3.1.2.2 Authentication Request Validation

The Authorization Server MUST validate the request received as follows: 

1. The Authorization Server MUST validate all the OAuth 2.0 parameters according to the OAuth 2.0 specification. 
2. Verify that a `scope` parameter is present and contains the `openid` scope value. (If no `openid` scope value is present, the request may still
   be a valid OAuth 2.0 request, but is not an OpenID Connect request).
3. The Authorization Server MUST verify that all the REQUIRED parameters are present and their usage conforms to this specification
4. If the `sub` (subject) claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if
   the End-User identified by that `sub` value has an active session with the Authorization Server or has been Authenticated as a result of the
   request. The Authorization Server MUST NOT reply with an ID Token or Access Token for a different user, even if they have an active session with
   the Authorization Server. Such a request can be made either using an `id_token_hint` parameter or by requesting a specific Claim Value as
   described in Section 5.5.1, if the `claims` parameter is supported by the implementation.

As specified in OAuth 2.0, Authorization Servers SHOULD ignore unrecognized request parameters. 

If the Authorization Server encounters any error, it MUST return an error response, per Section 3.1.2.6.

### 3.1.2.3 Authorization Server Authenticates End-User

If the request is valid, the Authorization Server attempts to Authenticate the End-User or determines whether the End-User is authenticated, 
depending on the request parameter values used. The methods used by the Authentication Server to Authenticate the End-User (e.g. username and
password, session cookies, etc.) are beyond the scope of this specification. An Authentication user interface MAY be displayed by the authorization
Server, depending upon the request parameter values used and the authentication methods used.

The Authorization Server MUST attempt to Authenticate the End-User in the following cases:

- The End-User is not already Authenticated.
- The Authentication Request contains the `prompt` parameter with the value `login`. In this case, the Authorization Server MUST reauthenticate
  the End-User even if the End-User is already authenticated.

The Authorization Server MUST NOT interact with the End-User in the following cases:

- The Authentication Request contains the `prompt` parameter with the value `none`. In this case, the Authorization Server MUST return an error if
  an End-User is not already Authenticated or could not be silently Authenticated.

When interating with the End-User, the Authorization Server MUST employ appropriate measures against Cross-Site Request Forgery and Clickjacking,
as described in Sections 10.12 and 10.13 of OAuth 2.0.

### 3.2.1.4 Authorization Server Obtains End-User Consent/Authorization

Once the End-User is authenticated, the Authorization Server MUST obtain an authorization decision before releasing information to the Relying Party.
When permited by the request parameters used, this MAY be done through an interactive dialogue with the End-User tha makes it clear what is being
consented to or by establishing consent via conditions for processing the request or other means (for example, via previous administrative
consent). Sections 2 and 5.3 describe information release mechanisms.

### 3.2.1.5 Successful Authentication Response

An Authentication Response is an OAuth 2.0 Authorization Response message returned from the OP's Authorization Endpoint in response to the 
Authorization Request message sent by the RP.

When using the Authorization Code Flow, the Authorization Response MUST return the parameters defined in Section 4.1.2 of OAuth 2.0 by adding them
as query parameters to the redirect_uri specified in the Authorization Request using the `application/x-www-form-urlencoded` format, unless a
different Response Mode was specified.

The following is a non-normative example successful response by using this flow (with line wraps within values for display purposes only):


     HTTP/1.1 302 Found
     Location: https://client.example.org/cb?
     code=SplxlOBeZQQYbYS6WxSbIA
     &state=af0ifjsldkj

For implementation notes on the contents of the Authorization Code, see Section 15.5.1.

### 3.1.2.6 Authentication Error Response

An Authentication Error Response is an OAuth 2.0 Authorization Error Response message returned from the OP's Authorization Endpoint in response to
the Authorization Request message sent by the RP. 

If the End-User denies the request or the End-User authentication fails, the OP (Authorizing Server) informs the RP (Client) by using the Error
Response parameters defined in Section 4.1.2.1 of OAuth 2.0. (HTTP errors unrelated to RFC 6749 are returned to the User Agent using the 
appropriate HTTP status code).

Unless the Redirection URI is invalid , the Authorization Server returns the Client to the Redirection URI specified in the Authorization Request
with the appropriate error and state parameters. Other parameters SHOULD NOT be returned.

In addition to the error codes defined in section 4.1.2.1 of OAuth 2.0, this specification also defines the following error codes:

- interaction_required: The Authorization Server requires End-User interaction of some form to proceed. This error MAY be returned when the `prompt`
  parameter value in the Authentication Request is `none`, but the Authentication Request cannot be completed without displaying a user interface
  for End-User interaction

- login_required: The Authorization Server requires End-User authentication. This error MAY be returned when the prompt parameter value in the
  Authentication Request is `none`, but the Authentication Request cannot be completed without displaying a user interface for End-User 
  authentication.

- account_selection_required: The End-User is REQUIRED to select a session at the Authorization Server. The End-User MAY be authenticated at the 
  Authorization Server with different associated accounts, but the End-User did not select a session. This error MAY be returned when the `prompt`
  parameter value in the Authentication Request is `none`, but the Authentication Request cannot be completed without displaying a user interface
  to prompt for a session to use.

- consent_required: The Authorization Server requires End-User consent. This error MAY be returned when the `prompt` parameter value in the 
  Authentication Request is `none`, but hte Authentication Request cannot be completed without displaying a user interface for End-User consent.

- invalid_request_uri: The `request_uri` in the Authorization Request returns an error or contains invalid data.

- invalid_request_object: The `request` paramter contains an invalid Request Object.

- request_not_supported: The OP does not support use of the `request` parameter defined in Section 6.

- registration_not_supported: The OP does not support use of the `registration` parameter defined in Section 7.2.1.

The error response parameters are the following: 

error: REQUIRED. Error code.

error_description: OPTIONAL. Human-readable ASCII encoded text description about the error.

error_uri: OPTIONAL. URI of a web page that includes additional information about the error.

state: OAuth 2.0 state value. REQUIRED if the Authorization Request included the `state` parameter. Set to the value received from the Client.

When using the Authorization Code Flow, the error response parameters are added to the query component of the Redirection URI, unless a different
Response Mode was specified.

The following is a non-normative example error message using this flow (with line maps for display purposes only):


     HTTP/1.1 302 Found
     Location: https://client.example.org/cb?
     error=invalid_request
     &error_description=
     Unsupported%20response_type%20value
     &state=af0ifjsldkj


### 3.1.2.7 Authentication Response Validation

When using the Authorization Code Flow, the Client MUST validate the response according to RFC6749, especially Sections 4.1.2 and 10.12.

### 3.1.3 Token Endpoint

To obtain an Access Token, an ID Token, and optionally a Refresh Token, the RP (Client) sends a Token Request to the Token Endpoint to obtain a 
Token Response, as described in Section 3.2 of OAuth 2.0 when using the Authorization Code Flow.

Communication with the Token Endpoint MUST utilize TLS. See Section 16.17 for more information on using TLS.

### 3.1.3.1 Token Request

A Client makes a Token Request by presenting its Authorization Grant (in the form of an Authorization Code) to the Token Endpoint using the 
`grant_type` value `authorization_code`, as described in Section 4.1.3 of OAuth 2.0. If the Client is a Confidential Client, then it MUST 
authenticate to the Token Endpoint using the authentication method registered for its client_id, as described in Section 9.

The Client sends the parameters to the Token Endpoint using the HTTP `POST` method and the Form Serialization, per Section 13.2, as described in
Section 4.1.3 of OAuth 2.0.

The following is a non-normative example of a Token Request (with line wraps within values for display purposes only):

     POST /token HTTP/1.1
     Host: server.example.com
     Content-Type: application/x-www-form-urlencoded
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
  
     grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
     &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

### 3.1.3.2 Token Request Validation

The Authorization Server MUST validate the Token Request as follows:

- Authenticate the Client if it was issued Client Credentials or if it uses another Client Authentication method, per Section 9. 
- Ensure the Authorization Code was issued to the authenticated Client.
- Verify that the Authorization Code is valid.
- Verify that the Authorization Code has not been previously used.
- Ensure that the `redirect_uri` parameter value is identical to the `redirect_uri` parameter value that was included in the initial Authorization
  Request. If the `redirect_uri` parameter value is not present when there is only registered `redirect_uri` value, the Authorization Server MAY
  return an errro (since the Client should have included the parameter) or MAY proceed without an error (since OAuth 2.0 permits the parameter to
  be omitted in this case).
- Verify that the Authorization Code used was issued in response to an OpenID Connect Authentication Request (so that an ID Token will be returned
  from the Token Endpoint).

### 3.1.3.3 Successful Token Response

After receiving and validating a valid and authorized Token Request from the Client, the Authorization Server returns a successful response that 
includes an ID Token and an Access Token. The parameters in the successful response are defined in Section 4.1.4 of OAuth 2.0. The response uses
`application/json` media type.

The OAuth 2.0 `token_type` response parameter value MUST be `Bearer`, as specified in OAuth 2.0 Bearer Token Usage, unless another Token Type has
been negotiated with the Client. Servers SHOULD support the `Bearer` Token Type; use of other Token Types is outside the scope of this specification.

In addition to the response parameters specified by OAuth 2.0, the following parameters MUST be included in the response:

- id_token: ID Token value associated with the authenticated session.

All Token responses that contain tokens, secrets, or other sensitive information MUST include the following HTTP response header fields and values:

| Header Name | Header Value |
|-------------|--------------|
| Cache-Control | no-store |
| Pragma | no-cache |

The following is a non-normative example of a successful Token Response:


     HTTP/1.1 200 OK
     Content-Type: application/json
     Cache-Control: no-store
     Pragma: no-cache

     {
     "access_token": "SlAV32hkKG",
     "token_type": "Bearer",
     "refresh_token": "8xLOxBtZp8",
     "expires_in": 3600,
     "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc
     yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5
     NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ
     fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz
     AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q
     Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ
     NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd
     QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS
     K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4
     XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"
     }

As specified in OAuth 2.0, Clients SHOULD ignore unrecognized response parameters.

### 3.1.3.4 Token Error Response

If the Token Request is invalid or unauthorized, the Authorization Server constructs the error response. The parameters of the Token Error Response
are defined as in Section 5.2 of OAuth 2.0. The HTTP response body uses the `application/json` media type with HTTP response code of 400.

The following is a non-normative example Token Error Response:


     HTTP/1.1 400 Bad Request
     Content-Type: application/json
     Cache-Control: no-store
     Pragma: no-cache

     {
     "error": "invalid_request"
     }

### 3.1.3.5 Token Response Validation

The Client MUST validate the Token Response as follows:

1. Follow the validation rules in RFC6749, especially those in sections 5.1 and 10.12.
2. Follow the ID Token validation rules in Section 3.1.3.7
3. Follow the Access Token Validation rules in Section 3.1.3.8

### 3.1.3.6 ID Token

The contents of the ID Token are described in Section 2. When using the Authorization Code Flow, these additional requirements for the following
ID Token Claims apply:

- at_hash: OPTIONAL. Access Token hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII 
  representation of the `access_token` value, where the hash algorithm used is the hash algorithm used in the `alg` Header Parameter of the ID
  Token's JOSE Header. For instance, if the `alg` is `RS256`, hash the access token value with SHA-256, then take the left-most 128 bits and 
  base64url encode them. The at_hash value is a case sensitive string.

### 3.1.3.7 ID Token Validation

Clients MUST validate the ID Token in the Token Response in the following manner:

1. If the ID Token is encrypted, decrypt it using the keys and algorithms that the Client specified during Registration taht the OP was to use to
   encrypt the ID Token. If encryption was negotiated with the OP at Registration time and the ID Token is not encrypted, the RP SHOULD reject it.
2. The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match teh value of the `iss` (issuer)
   claim.
3. The Client MUST validate that the `aud` (audience) Claim contains its `client_id` value registered at the Issuer identified by the `iss` (issuer)
   Claim as an audience. The `aud` (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token
   does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
4. If the ID Token contains multiple audiences, the Client SHOULD verify that an `azp` Claim is present.
5. If an `azp` (authorized party) Claim is present, the Client SHOULD verify that its `client_id` is the Claim Value.
6. If the ID token is received via direct communcation between the Client and the Token Endpoint (which it is in this flow), the TLS server 
   validation MAY be used to validate the issuer in place of checking the token signature. The client MUST validate the signature of all other 
   ID Tokens according to JWS using the algorithm specified in the JWT `alg` Header Parameter. The Client MUST use the keys provided by the issuer.
7. The `alg` value SHOULD be the default of `RS256` or the algorithm sent by the Client in the `id_token_signed_response_alg` parameter during
   registration.
8. If the JWT `alg` Header Parameter uses a MAC based algorithm, such as `HS256`, `HS384`, or `HS512`, the octets of the UTF-8 representation of 
   the `client_secret` corresponding to the `client_id` contained in th `aud` (audience) Claim are used as the key to validate the siganture. For
   MAC based algorithms, the behavior is unspecified if the `aud` is multi-valued or if an `azp` value is prent that is different than the `aud`
   value.
9. The current time MUST be before the time represented by the `exp` Claim.
10. The `iat` Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need
    to be stored to prevent attacks. The acceptable range is Client specific.
11. If a nonce value was sent in the Authorization Request, a `nonce` Claim MUST be present and its value checked to verify that it is the same
    value as the one that was sent in the Authentication Request. The Client SHOULD check the `nonce` value for replay attacks. The precise method
    for detecting replay attacks is Client specific.
12. If the `acr` Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate. The meaning and processing of `acr` 
    values is out of scope for this specification.
13. If the `auth_time` Claim was requested, either through a specific request for this Claim or by using the `max_age` parameter, the Client SHOULD
    check the `auth_time` Claim value and request re-authentication if it determines too much time has elapsed since the last End-User
    authentication.

### 3.1.3.8 Access Token Validation 

When using the Authorization Code Flow, if the ID Token contains an `at_hash` Claim, the Client MAY use it to validate the Access Token in the same
manner as for the Implicit Flow, as defined in Section 3.2.2.9, but using the ID Token and Access Token returned from the Token Endpoint.

### 3.2. Authentication using the Implicit Flow

