examples/oidc.diff

diff --git a/examples/oauth.ts b/examples/oidc.ts
index d87c63e..1bf04f6 100644
--- a/examples/oauth.ts
+++ b/examples/oidc.ts
@@ -18,27 +18,27 @@ let config = await client.discovery(server, clientId, clientSecret)
 
 let code_challenge_method = 'S256'
 /**
- * The following (code_verifier and potentially state) MUST be generated for
+ * The following (code_verifier and potentially nonce) MUST be generated for
  * every redirect to the authorization_endpoint. You must store the
- * code_verifier and state in the end-user session such that it can be recovered
+ * code_verifier and nonce in the end-user session such that it can be recovered
  * as the user gets redirected from the authorization server back to your
  * application.
  */
 let code_verifier = client.randomPKCECodeVerifier()
 let code_challenge = await client.calculatePKCECodeChallenge(code_verifier)
-let state!: string
+let nonce!: string
 
 {
   // redirect user to as.authorization_endpoint
   let parameters: Record<string, string> = {
     redirect_uri,
-    scope: 'api:read',
+    scope: 'openid email',
     code_challenge,
     code_challenge_method,
   }
 
   /**
-   * We cannot be sure the AS supports PKCE so we're going to use state too. Use
+   * We cannot be sure the AS supports PKCE so we're going to use nonce too. Use
    * of PKCE is backwards compatible even if the AS doesn't support it which is
    * why we're using it regardless.
    */
@@ -47,8 +47,8 @@ let state!: string
       .serverMetadata()
       .code_challenge_methods_supported?.includes('S256') !== true
   ) {
-    state = client.randomState()
-    parameters.state = state
+    nonce = client.randomNonce()
+    parameters.nonce = nonce
   }
 
   let redirectTo = client.buildAuthorizationUrl(config, parameters)
@@ -59,26 +59,26 @@ let state!: string
 
 // one eternity later, the user lands back on the redirect_uri
 // Authorization Code Grant
+let sub: string
 let access_token: string
 {
   let currentUrl: URL = getCurrentUrl()
   let tokens = await client.authorizationCodeGrant(config, currentUrl, {
     pkceCodeVerifier: code_verifier,
-    expectedState: state,
+    expectedNonce: nonce,
+    idTokenExpected: true,
   })
 
   console.log('Token Endpoint Response', tokens)
   ;({ access_token } = tokens)
+  let claims = tokens.claims()!
+  console.log('ID Token Claims', claims)
+  ;({ sub } = claims)
 }
 
-// Protected Resource Request
+// UserInfo Request
 {
-  let protectedResource = await client.fetchProtectedResource(
-    config,
-    access_token,
-    new URL('https://rs.example.com/api'),
-    'GET',
-  )
+  let userInfo = await client.fetchUserInfo(config, access_token, sub)
 
-  console.log('Protected Resource Response', await protectedResource.json())
+  console.log('UserInfo Response', userInfo)
 }