OpenIDConnect - Hybrid flow

Hybrid flow is another OAuth 2.0 feature for which Identify has support from version 5.5. The specification is at https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth.

In short, this flow is a combination of the code flow and the implicit flow. It allows the user-agent to retrieve an identity token immediately for quick usage the same way that the implicit flow does but still allows a client to negotiate authorization code via one round trip to the Identify OAuth 2.0 server just as how the code flow does.

The flow supports all three response types:

  • code id_token

oauth2-hybrid-code-idtoken-diagram-happy-case

  • code token

oauth2-hybrid-code-token-diagram-happy-case.png

  • code id_token token

oauth2-hybrid-code-idtoken-token-diagram-happy-case

In other words, this flow can obtain an authorization code and tokens (id token and/or access token) from the Identify OAuth 2.0’s authorization endpoint, it also can request a token from the token endpoint.

You can find samples for ASPNetWebMvc and NancyOwinClient on our GitHub repository that illustrates how to execute a hybrid flow request against Identify OAuth 2.0 authorization server.

Please note that you must set 2 options "Allow code flow" and "Allow implicit flow" enabled on the OpenID Connect application to use the hybrid flow.