OICD Hybrid flow
We recommend all interactive applications use Authorization Code flow with PKCE where appropriate. Implicit and Hybrid flow are not secure enough and should be avoided at all costs. Deprecated.
The Hybrid flow is a combination of the Authorization Code and Implicit flows. Tokens can be returned by both authorization and token endpoints.
The response type specified in the redirect URI determines where the tokens are returned from:
code id_token token
Scenario: client application uses code id_token
The user agent redirects to the identity provider passing the Response Type equals
code id_tokenalong with the
openidscope it requires.
The end-user signs in and is asked for consent.
After consent is given, an authorization message is sent, which redirects the user agent back to the client application.
- The redirection URI includes the Authorization Code and ID token.
The ID token is validated the same way as described in the Implicit flow.
The Authorization Code is available to send to the token endpoint the same way as described in Authorization Code flow.
The access token is validated and sent back, along with another ID token. This ID token can be compared to the previous one for validation.