@@ -0,0 +1,202 @@
+# Authx = Authn + Authz
+
+* Authentication: Are you who you say you are?
+* Authorization: Are you allowed to do that?
+
+# Authx - Examples
+
+1. Travel by Plane (High security context)
+ * Authentication: Passport
+ * Authorization: Boarding Pass
+1. Travel by Bus (Low security context)
+ * Authentication: Not required
+ * Authorization: Bus ticket
+
+# Authx
+
+The Resource Server provides the security context and knows if the resource that
+is being access requires a high or low security context.
+
+# Authx
+
+Not every resource requires a high security context.
+
+i.e. we don't need to make a network call to the PDP for every single authorization decision if the security context is low.
+
+# Authx - Challenges
+
+* PKI: key rotation, revocation, signing, encryption
+* Uptime Guarantees
+* Auditability
+* Complexity
+* Interoperability
+* Extensibility
+* Observability
+* ...
+
+# OAuth 2.x
+
+OAuth is for Authorization.
+
+# OAuth 2.x - Protocol Flow
+
+```plaintext
+ +--------+ +---------------+
+ | |--(A)- Authorization Request ->| Resource |
+ | | | Owner |
+ | |<-(B)-- Authorization Grant ---| |
+ | | +---------------+
+ | |
+ | | +---------------+
+ | |--(C)-- Authorization Grant -->| Authorization |
+ | Client | | Server |
+ | |<-(D)----- Access Token -------| |
+ | | +---------------+
+ | |
+ | | +---------------+
+ | |--(E)----- Access Token ------>| Resource |
+ | | | Server |
+ | |<-(F)--- Protected Resource ---| |
+ +--------+ +---------------+
+```
+
+https://datatracker.ietf.org/doc/html/rfc6749#section-1.2
+
+# OAuth 2.x - Protocol Endpoints
+
+The authorization process utilizes two authorization server endpoints (HTTP resources):
+
+- Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection.
+- Token endpoint - used by the client to exchange an authorization grant for an access token, typically with client authentication.
+
+https://datatracker.ietf.org/doc/html/rfc6749#section-3
+
+# OAuth 2.x - Authorization Grants
+
+* Authorization Code: `authorization_code`
+* JWT Bearer: `urn:ietf:params:oauth:grant-type:jwt-bearer`
+* Refresh Token: `refresh_token`
+* SAML Assertion: `urn:ietf:params:oauth:grant-type:saml2-bearer`
+
+# OAuth 2.x - Authorization Code Grant Protocol Flow
+
+```plaintext
+ +----------+
+ | Resource |
+ | Owner |
+ | |
+ +----------+
+ ^
+ |
+ (B)
+ +----|-----+ Client Identifier +---------------+
+ | -+----(A)-- & Redirection URI ---->| |
+ | User- | | Authorization |
+ | Agent -+----(B)-- User authenticates --->| Server |
+ | | | |
+ | -+----(C)-- Authorization Code ---<| |
+ +-|----|---+ +---------------+
+ | | ^ v
+ (A) (C) | |
+ | | | |
+ ^ v | |
+ +---------+ | |
+ | |>---(D)-- Authorization Code ---------' |
+ | Client | & Redirection URI |
+ | | |
+ | |<---(E)----- Access Token -------------------'
+ +---------+ (w/ Optional Refresh Token)
+```
+
+# OAuth 2.x - Implicit Grant (not a recommendation)
+
+```plaintext
+ +--------------------+
+ | Resource Owner |
+ +--------------------+
+ ^
+ (B)
+ +----|-----+ Client Identifier +---------------+
+ | +----(A)-- & Redirection URI --->| Authorization |
+ | User- | | Server |
+ | Agent -|----(B)-- User authenticates -->| |
+ | |<---(C)--- Redirection URI ----<+---------------+
+ | | with Access Token
+ | | +---------------+
+ | |----(D)--- Redirection URI ---->| Web-Hosted |
+ | | without Fragment | Client |
+ | | | Resource |
+ | (F) |<---(E)------- Script ---------<+---------------+
+ +-|--------+
+ (A) (G) Access Token
+ ^ v
+ +---------+
+ | Client |
+ +---------+
+```
+
+# OAuth 2.x - Refresh Token Grant Protocol Flow
+
+```plaintext
+ +--------+ +---------------+
+ | |--(A)------- Authorization Grant --------->| |
+ | | | |
+ | |<-(B)----------- Access Token -------------| |
+ | | & Refresh Token | |
+ | | | |
+ | | +----------+ | |
+ | |--(C)---- Access Token ---->| | | |
+ | | | | | |
+ | |<-(D)- Protected Resource --| Resource | | Authorization |
+ | Client | | Server | | Server |
+ | |--(E)---- Access Token ---->| | | |
+ | | | | | |
+ | |<-(F)- Invalid Token Error -| | | |
+ | | +----------+ | |
+ | | | |
+ | |--(G)----------- Refresh Token ----------->| |
+ | | | |
+ | |<-(H)----------- Access Token -------------| |
+ +--------+ & Optional Refresh Token +---------------+
+```
+
+# OpenID Connect (OIDC)
+
+OIDC adds Authn to OAuth.
+
+# OIDC - Protocol Flow
+
+OIDC = Authn + OAuth
+
+```plaintext
++--------+ +--------+
+| | | |
+| |---------(1) AuthN Request-------->| |
+| | | |
+| | +--------+ | |
+| | | | | |
+| | | End- |<--(2) AuthN & AuthZ-->| |
+| | | User | | |
+| RP | | | | OP |
+| | +--------+ | |
+| | | |
+| |<--------(3) AuthN Response--------| |
+| | | |
+| |---------(4) UserInfo Request----->| |
+| | | |
+| |<--------(5) UserInfo Response-----| |
+| | | |
++--------+ +--------+
+```
+
+# WLIF
+
+* https://docs.google.com/document/d/1XyuQXuUJE0kGC2jqy_vaLPGxAFjzMvJWOS74QoP7UA8/
+
+# Primitives
+
+We need:
+
+* PKI: Certificate Authority generate and sign intermediate certs
+* OAuth 2.x Authorization Server
+* OIDC Provider (OP)