Document simplification.

oidc.md

@@ -2,11 +2,11 @@
 
 ## Table of contents
 
-* [Introduction](#Introduction)
-* [Authorization flow](#Authorization-flow)
-  * [Visiting target website](#Visiting-target-website)
-  * [Authentication](#Authentication-Authorization)
-  * [JWT generation, delivery & validation](JWT-generation,-delivery-&-validation)
+* [Introduction](#introduction)
+* [Authorization flow](#authorization-flow)
+  * [Visiting target website](#visiting-target-website)
+  * [Authentication](#authentication-authorization)
+  * [JWT generation, delivery & validation](jwt-generation-delivery-validation)
 
 ## Introduction
 
@@ -145,31 +145,23 @@ flowchart TB
     R -->|redirect user| W
 ```
 
-After all the necessary data about the User has been collected, the oidc Authorization Server sends the following response to the User, containing a link to the website and the `id_token` (JWT - JSON Web Token):
+As a result of the authentication User is redirected to `redirect_uri` with data included in query or fragment of the address (see the specification).
+After all the necessary data about the User has been collected, the OIDC Authorization Server sends the following response to the User, containing a link to the website and the `id_token` (JWT - JSON Web Token):
 
 ```
-HTTP/1.1 302 Redirect
-Location: {redirect_uri}?id_token
+  HTTP/1.1 302 Found
+  Location: https://client.example.org/cb#
+    id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
+    &expires_in=3600
+    &state=af0ifjsldkj
 ```
 
-The `id_token` (JWT) is a JSON file that contains the information needed for authentication and validation, and the website can extract various information from the JWT, such as ID, user name, time of login to the account, expiration date of the ID Token, the presence of tampering attempts in the JWT, for example, `sub+email+collected_data+signature`.
-
+The `id_token` (JWT) is a base64 encoded urlsafe string.
 More information on `id_token` data structure can be found [here](https://openid.net/specs/openid-connect-core-1_0-final.html#IDToken).
 
-Signature contains the private key with which the oidc Authorization Server signs a particular JWT.
-The private key used to sign the JWT content must be associated with a public key used for signature verification published by the sender in its `jwks_endpoint` (JWK Set document).
+JWT contains signature signed with the private key of the OIDC Provider.
+The client shall verify that JWT is signed by corresponding to `kid` public key contained in JWKS `jwks_endpoint`.
 
-The website must [validate](https://openid.net/specs/openid-connect-core-1_0-final.html#IDTokenValidation) the JWT in the Token Response to proceed with the data.
-To do this, it accesses the `jwks_endpoint`, from which it can obtain public keys to verify the JWT signature.
-
-The goal achieved.
+See [specification](https://openid.net/specs/openid-connect-core-1_0-final.html#IDTokenValidation) for more details.
 
 The website can now use the JWT to get the necessary information about the User.
-
-**ATTENTION:**
-
-1. The user must perform all actions in one browser = from one device.
-Using multiple devices may prevent successful authorization.
-2. In Stage 2, the user can be asked to enter not an email, but, for example, a phone number or both.
-Then, at the next stages, it will be possible to choose the most convenient communication method when sending *magic link*.
-3. Cookies are currently stored on the oidc Authorization Server for 30 days, but this period may be extended if necessary.