Overview#

Hybrid Flow is an is an Authorization Grant defined in OpenID Connect

Hybrid Flow is requested by using a response_type='code id_token'

Hybrid Flow returns an id_token from the authorization_endpoint in addition to the authorization Code and adds a c_hash which enables a check that the authorization Code is valid.

Hybrid Flow follows the following steps:

Authentication Request#

Hybrid Flow Authentication Request is the same as the Authorization Code Flow except:
  • response_type must be:
    • code id_token
    • code token
    • code id_token token
Where these values are as defined for Response_type.

The following is a non-normative example request using the Hybrid Flow that would be sent by the User Agent to the Authorization Server in response to a corresponding HTTP 302 redirect response by the Client: (with line wraps within values for display purposes only): 

  GET /authorize?
    response_type=code%20id_token
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
    &scope=openid%20profile%20email
    &nonce=n-0S6_WzA2Mj
    &state=af0ifjsldkj HTTP/1.1
  Host: server.example.com

Successful OpenID Connect Authentication Response#

When using the Hybrid Flow, OpenID Connect Authentication Response are made in the same manner as for the Implicit Grant, as defined in Section 3.2.2.5, with the exception of the differences specified in this section.

These Authorization_endpoint results are used in the following manner:

The following is a non-normative example of a successful response using the Hybrid Flow (with line wraps for the display purposes only): 

  HTTP/1.1 302 Found
  Location: https://client.example.org/cb#
    code=SplxlOBeZQQYbYS6WxSbIA
    &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
    &state=af0ifjsldkj

More Information#

There might be more information for this subject on one of the following:
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop