<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is an is an [Authorization Grant] defined in [OpenID Connect]

[{$pagename}] is requested by using a [response_type]='code id_token'

[{$pagename}] returns an [id_token] from the [authorization_endpoint] in addition to the [authorization Code] and adds a [c_hash] which enables a check that the [authorization Code] is valid.

[{$pagename}] follows the following steps:

* [OAuth Client] prepares an [Authentication Request] containing the desired request parameters.
* [OAuth Client] sends the [Authentication Request] to the [Authorization Server].
* [Authorization Server Authentication of the End-User].
* [Authorization Server Request End-User Consent-Authorization].
* Authorization Server sends the End-User back to the Client with an [Authorization Code] and, depending on the Response Type, one or more additional parameters.
* [OAuth Client] requests a response using the [Authorization Code] at the [Token_endpoint].
* [OAuth Client] receives a response that contains an [Id_token] and [Access_token] in the response body.
* [OAuth Client] validates the [Id_token] and retrieves the End-User's Subject Identifier.

!! [Authentication Request]
[{$pagename}] [Authentication Request] is the same as the [Authorization Code Flow] except:
* [response_type] must be:
** code id_token 
** code token
** code id_token token
Where these values are as defined for [Response_type].

The following is a non-normative [example] request using the [{$pagename}] that would be sent by the [User Agent|user-agent] to the [Authorization Server] in response to a corresponding [HTTP 302] redirect response by the Client: (with line wraps within values for display purposes only):
%%prettify 
{{{
  GET /authorize?
    response_type=code%20id_token
    &amp;client_id=s6BhdRkqt3
    &amp;redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
    &amp;scope=openid%20profile%20email
    &amp;nonce=n-0S6_WzA2Mj
    &amp;state=af0ifjsldkj HTTP/1.1
  Host: server.example.com
}}} /%

!!  Successful [OpenID Connect Authentication Response]
When using the [{$pagename}], [OpenID Connect Authentication Response] are made in the same manner as for the [Implicit Grant], as defined in Section 3.2.2.5, with the exception of the differences specified in this section.

These [Authorization_endpoint] results are used in the following manner:
* [access_token] - [OAuth 2.0] [Access Token]. This is returned when the [response_type] value used is code token, or code id_token token. (A [token_type] value is also returned in the same cases.)
* [id_token] -  This is returned when the [response_type] value used is &quot;code id_token&quot; or code id_token token.
* [code|Authorization Code] 

The following is a non-normative example of a successful response using the [{$pagename}] (with line wraps for the display purposes only):
%%prettify 
{{{
  HTTP/1.1 302 Found
  Location: https://client.example.org/cb#
    code=SplxlOBeZQQYbYS6WxSbIA
    &amp;id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
    &amp;state=af0ifjsldkj
}}} /%

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>