• caglararli@hotmail.com
  • 05386281520

OIDC Hybrid flow

Çağlar Arlı      -    8 Views

OIDC Hybrid flow

I'm trying to understand the Hybrid flow of OIDC. Am I correct in thinking that an authentication request is made to the authorization endpoint, which then responds with the authorization code, id token and the token in the URL fragment?

If that's the case what's the point of returning an authorization code if it's not going to be exchanged for an access and id token?

3.3.2.5. Successful Authentication Response

When using the Hybrid Flow, Authentication Responses are made in the same manner as for the Implicit Flow, as defined in Section 3.2.2.5, with the exception of the differences specified in this section.

These Authorization Endpoint results are used in the following manner:

access_token
OAuth 2.0 Access Token. This is returned when the response_type value used is code token, or code id_token token. (A token_type value is also returned in the same cases.)

id_token
ID Token. This is returned when the response_type value used is code id_token or code id_token token.

code
Authorization Code. This is always returned when using the Hybrid Flow.

The following is a non-normative example of a successful response using the Hybrid Flow (with line wraps for the display purposes only):

HTTP/1.1 302 Found   Location: https://client.example.org/cb#
code=SplxlOBeZQQYbYS6WxSbIA
&id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
&state=af0ifjsldkj