I came across a custom implementation of OpenId Connect . But (there is always, but) I have some doubts:
I understand the process of getting acces_token and id_token, except for the step where the OP provides the client with an authorization code. If this is done by redirecting (using uri redirect)
HTTP/1.1 302 Found
Location: https://client.example.org/cb?
code=SplxlOBeZQQYbYS6WxSbIA
&state=af0ifjsldkj
- Can the end user see this authorization code? Doesn't it expire? Imagine that we catch him and we use him later (in a few days). Is this a security hole? Should expiration at the end point of the token?
The flow continues, and we received on the client Access_tokenand id_tokenin the client.
- How to use
Access_tokenon the OP side? Should it be stored in a database? Or should I myself contain the information necessary to verify it? What would you recommend? - And on the client side, should both tokens be sent for each request?
And the last doubt, if we have an Access_tokenexistence id_tokenfor representing authorization and authentication in divided tokens?
Additional doubts:
I know the process of obtaining an access token, but I have doubts about how the OP, once generated and sent, checks the access_token that comes with each request
- OP ? , OP , access_token /. - ? , , ?
- access_token cookie? -, access_token . ?
- , , ASP.NET, ?
, , .
!