Hybrid Flow in a Nutshell
The OpenID Connect Hybrid flow
combines the capabilities of the implicit flow
and the authorization code grant flow. This flow
allows the client to receive both an ID token and an authorization code as the result of a request
/authorize endpoint, but,
the client can use the code exchange to obtain access and refresh tokens via a
request to the
Hybrid flow can be used by the clients that are able to securely store their client secrets. It gives the clients the possibility to have access to an ID token as soon as possible and, at the same time, to securely retrieve access and refresh tokens. You can use the hybrid flow if the client needs to perform some additional processing before requesting tokens and providing the authorization code in the request.
Hybrid Flow in Depth
A user tries to access the application (the client).
The client redirects the user to the authorize endpoint.
The client must inform Cloudentity of its desired grant type by using the
response_typeparameter. For the hybrid grant flow, the
response_typecan have the following values:
code id_token- a successful response contains both an authorization code and an ID token.
code token- a successful response contains an authorization code, an access token and an access token type.
code id_token token- a successful response contains an authorization code, an ID token, an access token, and an access token type.
To learn more about multiple-valued response type combinations, see the OAuth 2.0 Multiple Response Type Encoding Practices specification.
Cloudentity authenticates the user and displays a consent screen if there is an authorization scope to be granted.
Cloudentity does not display the consent screen when there is no authorization scope to be granted.
The user gives their consent.
Cloudentity issues an authorization code and one or more additional parameters depending on the value for the
response_typeparameter provided in the second step.
After Cloudentity generates the authorization code, it is redirected to the redirection endpoint configured for the registered client. The client must have at least one registered redirection URI. If there are multiple registered redirection URIs, the request to the
authorizeendpoint must always include the
redirect_uriparameter. If there is only one registered redirection URI for the client, it does not have to include the
redirect_uriparameter in the request to the
The client performs a request to the token endpoint using authorization code provided in the previous step.
To learn more about token endpoint authentication methods, see the client authentication documentation.
Cloudentity validates the request.
Cloudentity returns the token.
The client requests protected resources from the resource server and submits the token it received in the previous step.
The resource server validates the token and responds the requested resources.