Hybrid Flow

Applications that can securely store Client Credentials may benefit from using the Hybrid Flow. This flow, defined in the OpenID Connect specification (section 3.3), enables immediate access to an ID token while ensuring a secure and reliable process for retrieving access tokens and refresh tokens. It is particularly useful for scenarios where your application needs immediate user information but requires additional processing before accessing protected resources.

How it Works

The Hybrid Flow combines aspects of the Implicit Flow with Form Post and Authorization Code Flow:

User selects Login within the application.
- The user initiates the authentication process by selecting the login option.
Application redirects the user to the Login 3.0 Authorization Server (/authorize endpoint).
- The request includes the response_type parameter, indicating the credentials being requested (e.g., code id_token or code id_token token).
- The response_mode parameter is set to form_post to ensure security.
Login 3.0 Authorization Server redirects the user to the login and authorization prompt.
- The user is prompted to log in and, if required, provide consent for the requested permissions.
User authenticates using one of the configured login options.
- The user logs in using their preferred method and, if necessary, reviews the consent prompt.
Login 3.0 Authorization Server redirects the user back to the application.
- The response includes:
  - A single-use authorization code.
  - Optionally, an ID token, access token, or both, based on the response_type specified.
Application exchanges the authorization code for tokens at the Login 3.0 Token Endpoint (/oauth/token).
- The application sends the authorization code, client ID, and client credentials (e.g., Client Secret or Private Key JWT) for verification.
Login 3.0 Authorization Server verifies the authorization code and application credentials.
- The server validates the information provided and checks the authorization code's validity.
Login 3.0 Authorization Server responds with tokens.
- The response includes:
  - An ID token for user identity verification.
  - An access token for API calls.
  - Optionally, a refresh token for obtaining new tokens.
Application uses the access token to call APIs.
- The application sends the access token in the Authorization header to interact with protected resources or retrieve user data.
API responds with the requested data.
- The API processes the request and returns the requested information.

Example Authorization Request

https://{yourDomain}/authorize?
    response_type=code id_token&
    response_mode=form_post&
    client_id={yourClientId}&
    redirect_uri={<https://yourApp/callback>}&
    scope=openid email profile&
    state=randomString123&
    nonce=randomNonce123

Use Case

The Hybrid Flow is ideal for applications that need:

Immediate access to user information (via the ID token).
Secure and scalable methods for retrieving access and refresh tokens.
A balance of performance and security for workflows requiring both short-term and long-term access to protected resources.

For example:

Web Applications: Use Hybrid Flow for initial sign-on and subsequent API interactions.
Enterprise Apps: Leverage secure token exchanges for multi-resource environments.

PreviousAdd Login Using the Implicit Flow with Form Post NextCall Your API Using the Hybrid Flow

Last updated 6 months ago

Was this helpful?