Overview#Hybrid Flow follows the following steps:
- Client prepares an Authentication Request containing the desired request parameters.
- Client sends the request to the Authorization Server.
- Authorization Server Authenticates the End-User.
- Authorization Server obtains End-User Consent/Authorization.
- Authorization Server sends the End-User back to the Client with an Authorization Code and, depending on the Response Type, one or more additional parameters.
- Client requests a response using the Authorization Code at the Token Endpoint.
- Client receives a response that contains an ID Token and Access Token in the response body.
- Client validates the ID Token and retrieves the End-User's Subject Identifier.
- response_type must be:
- code id_token
- code token
- code id_token token
The following is a non-normative example request using the Hybrid Flow that would be sent by the User Agent to the Authorization Server in response to a corresponding HTTP 302 redirect response by the Client: (with line wraps within values for display purposes only):
GET /authorize? response_type=code%20id_token &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &scope=openid%20profile%20email &nonce=n-0S6_WzA2Mj &state=af0ifjsldkj HTTP/1.1 Host: server.example.com
Authentication Request Validation#When using the Hybrid Flow, the Authentication Request is validated in the same manner as for the Authorization Code Flow
Authorization Server Authenticates End-User#When using the Hybrid Flow, End-User Authentication is performed in the same manner as for the Authorization Code Flow
Authorization Server Obtains End-User Consent/Authorization#When using the Hybrid Flow, End-User Consent is obtained in the same manner as for the Authorization Code Flow
Successful Authentication Response#When using the Hybrid Flow, Authentication Responses are made in the same manner as for the Implicit Flow, as defined in Section 126.96.36.199, with the exception of the differences specified in this section.
These Authorization Endpoint results are used in the following manner:
- access_token - OAuth 2.0 Access Token. This is returned when the response_type value used is code token, or code id_token token. (A token_type value is also returned in the same cases.)
- id_token - Identity Token. This is returned when the response_type value used is code id_token or code id_token token.
- code - Authorization Code. This is always returned when using the Hybrid Flow.
The following is a non-normative example of a successful response using the Hybrid Flow (with line wraps for the display purposes only):
HTTP/1.1 302 Found Location: https://client.example.org/cb# code=SplxlOBeZQQYbYS6WxSbIA &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso &state=af0ifjsldkj