Overview#

Hybrid Flow follows the following steps:
  • Client prepares an Authentication Request containing the desired request parameters.
  • Client sends the request to the Authorization Server.
  • Authorization Server Authenticates the End-User.
  • Authorization Server obtains End-User Consent/Authorization.
  • Authorization Server sends the End-User back to the Client with an Authorization Code and, depending on the Response Type, one or more additional parameters.
  • Client requests a response using the Authorization Code at the Token Endpoint.
  • Client receives a response that contains an ID Token and Access Token in the response body.
  • Client validates the ID Token and retrieves the End-User's Subject Identifier.

Authentication Request#

Hybrid Flow Authentication Request is the same as the Authorization Code Flow except:
  • response_type must be:
    • code id_token
    • code token
    • code id_token token
Where these values are as defined for Response_type.

The following is a non-normative example request using the Hybrid Flow that would be sent by the User Agent to the Authorization Server in response to a corresponding HTTP 302 redirect response by the Client: (with line wraps within values for display purposes only):

  GET /authorize?
    response_type=code%20id_token
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
    &scope=openid%20profile%20email
    &nonce=n-0S6_WzA2Mj
    &state=af0ifjsldkj HTTP/1.1
  Host: server.example.com

Authentication Request Validation#

When using the Hybrid Flow, the Authentication Request is validated in the same manner as for the Authorization Code Flow

Authorization Server Authenticates End-User#

When using the Hybrid Flow, End-User Authentication is performed in the same manner as for the Authorization Code Flow

Authorization Server Obtains End-User Consent/Authorization#

When using the Hybrid Flow, End-User Consent is obtained in the same manner as for the Authorization Code Flow

Successful Authentication Response#

When using the Hybrid Flow, Authentication Responses are made in the same manner as for the Implicit Flow, as defined in Section 3.2.2.5, with the exception of the differences specified in this section.

These Authorization Endpoint results are used in the following manner:

The following is a non-normative example of a successful response using the Hybrid Flow (with line wraps for the display purposes only):

  HTTP/1.1 302 Found
  Location: https://client.example.org/cb#
    code=SplxlOBeZQQYbYS6WxSbIA
    &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
    &state=af0ifjsldkj

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-3) was last changed on 01-Jul-2016 12:06 by jim