OIDC Hybrid flow
I'm trying to understand the Hybrid flow of OIDC. Am I correct in thinking that an authentication request is made to the authorization endpoint, which then responds with the authorization code, id token and the token in the URL fragment?
If that's the case what's the point of returning an authorization code if it's not going to be exchanged for an access and id token?
3.3.2.5. Successful Authentication Response
When using the Hybrid Flow, Authentication Responses are made in the same manner as for the Implicit Flow, as defined in Section 3.2.2.5, with the exception of the differences specified in this section.
These Authorization Endpoint results are used in the following manner:
access_token
OAuth 2.0 Access Token. This is returned when the response_type value used iscode token
, orcode id_token token
. (Atoken_type
value is also returned in the same cases.)
id_token
ID Token. This is returned when the response_type value used iscode id_token
orcode id_token token
.
code
Authorization Code. This is always returned when using the Hybrid Flow.The following is a non-normative example of a successful response using the Hybrid Flow (with line wraps for the display purposes only):
HTTP/1.1 302 Found Location: https://client.example.org/cb# code=SplxlOBeZQQYbYS6WxSbIA &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso &state=af0ifjsldkj