OIDC Hybrid flow

Information Security Asked by PDStat on August 21, 2020

I’m trying to understand the Hybrid flow of OIDC. Am I correct in thinking that an authentication request is made to the authorization endpoint, which then responds with the authorization code, id token and the token in the URL fragment?

If that’s the case what’s the point of returning an authorization code if it’s not going to be exchanged for an access and id token? Successful Authentication Response

When using the Hybrid Flow, Authentication Responses are made in the same manner as for the Implicit Flow, as defined in Section, with the exception of the differences specified in this section.

These Authorization Endpoint results are used in the following manner:

OAuth 2.0 Access Token. This is returned when the response_type value used is code token, or code id_token token. (A token_type value is also returned in the same cases.)

ID Token. This is returned when the response_type value used is code id_token or code id_token token.

Authorization Code. This is always returned when using the Hybrid Flow.

The following is a non-normative example of a successful response using the Hybrid Flow (with line wraps for the display purposes only):

HTTP/1.1 302 Found Location:
&id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso

One Answer

The only way to get a refresh token is via the token endpoint using an auth code. Personally I’d not bother with “code id_token token” and just use “id_token code” instead.

Answered by mackie on August 21, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP