1. Oracle Identity Cloud Service REST APIREST API for Oracle Identity Cloud Service
  2. Use Cases
  3. Using OpenID Connect to Extend OAuth 2.0
  4. Using the Hybrid Flow with OpenID Connect

Using the Hybrid Flow with OpenID Connect

Use the Hybrid flow when you want to obtain tokens separately from both the front channel and the back channel. For example, you have a browser component like JavaScript and a backend server component such as Node.js. The browser component obtains the Authorization Code and the ID Token and can then personalize the UI content. The backend component obtains the Access Token to perform business API calls.

Clients need to support both browser-based requests and responses and programmatic/back-channel requests and responses to use the Hybrid flow. The Hybrid flow works with both Confidential Clients and Public Clients. The following response_type values are supported with the Hybrid flow:

  • code id_token (ID Token)

  • code token (Access Token)

  • code id_token token (Authorization Code, ID Token, and Access Token)

Obtaining an ID Token

There are four steps in the Hybrid flow to obtain both the Authorization Code and the ID Token:

  1. Request the Authorization Code and the ID Token.

    Request Example

    https://tenant-base-url/oauth2/v1/authorize?client_id=<client_id>&response_type=code id_token&redirect_uri=<client_redirect_uri>&scope=http://tenant-base-url/test+openid+offline_access&nonce=abcdefghijk

  2. User logs in and gives consent (based on the requested scopes).

  3. Response with ID Token and Authorization Code.

    Response Example

    Note:

    All response parameters are added to the fragment component of the redirection URI. 
    http://tenant-base-url/#code=AQIDBAUrAi0l....F9NCA=&id_token=eyJ4NXQjUzI1....3R8b_Q

  4. The client application makes use of the Authorization Code and makes a back channel request to obtain a new Access Token and Refresh Tokens.

    Request Example

    curl -i
-H 'Authorization: Basic YjA3NTZkNDc5M2QwNDZjNjhjZWVmY2UxZjE4ZGUwMWM6NGYzZjJjN2EtZTBjZC00NzcyLWE5MTYtNjI3ZmExNzA2NWE5'
-H 'Accept: */*'
--request POST 'https://tenant-base-url/oauth2/v1/token' -d 'grant_type=authorization_code&code=AQIDBAUrAi0l???.CA%3D'

    Response Example

    {
"access_token":"eyJ4NXQjUzI1....sJ5mCw",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"AQIDBAUwxxoC....tZLvA"
}

Obtaining an Access Token

There are four steps in the Hybrid flow to obtain the Authorization Code and the Access Token:

  1. Request the Authorization Code and the Access Token.

    Request Example

    https://tenant-base-url/oauth2/v1/authorize?client_id=<client_id>&response_type=code token&redirect_uri=<client_redirect_uri>&scope=http://tenant-base-url/test

  2. User logs in and gives consent (based on the requested scopes).

  3. Response with ID Token and Authorization Code.

    Response Example

    Note:

    All response parameters are added to the fragment component of the redirection URI. 
    http://tenant-base-url/#access_token=eyJ4NXQjUzI1....Pudw9A&code=AQIDBAU6d6Ae....F9NCA=&token_type=Bearer&expires_in=3600

  4. The client application makes use of the Authorization Code and makes a back channel request to obtain a new Access Token.

    Request Example 
    curl -i
-H 'Authorization: Basic YjA3NTZkNDc5M2QwNDZjNjhjZWVmY2UxZjE4ZGUwMWM6NGYzZjJjN2EtZTBjZC00NzcyLWE5MTYtNjI3ZmExNzA2NWE5'
-H 'Accept: */*''
--request POST 'https://tenant-base-url/oauth2/v1/token' -d 'grant_type=authorization_code&code=AQIDBAU6d6Ae...NCA%3D'

    Response Example

    {
"access_token":"eyJ4NXQjUzI1....Tgs9LA",
"token_type":"Bearer",
"expires_in":3600
}

Obtaining an ID Token and an Access Token

There are four steps in the Hybrid flow to obtain the Authorization Code, the ID Token, and the Access Token:

  1. Request the Authorization Code and the ID Token.

    Request Example 
    https://tenant-base-url/oauth2/v1/authorize?client_id=client_id&response_type=code id_token token&redirect_uri=client_redirect_uri&scope=http://tenant-base-url/test+openid&nonce=abcdaer

  2. User logs in and gives consent (based on the requested scopes).

  3. Response with ID Token and Access Token.

    Response Example

    Note:

    All response parameters are added to the fragment component of the redirection URI. 
    http://tenant-base-url/#access_token=eyJ4NXQjUzI1....sDB7lA&code=AQIDBAVxZzy-....F9NCA=&id_token=eyJ4NXQjUzI1....&token_type=Bearer&expires_in=36004

  4. The client application makes use of the Authorization Code and makes a back channel request to obtain a new Access Token.

    Request Example 
    curl -i
-H 'Authorization: Basic YjA3NTZkNDc5M2QwNDZjNjhjZWVmY2UxZjE4ZGUwMWM6NGYzZjJjN2EtZTBjZC00NzcyLWE5MTYtNjI3ZmExNzA2NWE5'
-H 'Accept: */*' ?request
POST 'https://tenant-base-url/oauth2/v1/token' -d 'grant_type=authorization_code&code=AQIDBAXUbLmS???.NCA%3D'

    Response Example

    {
"access_token":"eyJ4NXQjUzI1....g52XmQ",
"token_type":"Bearer",
"expires_in":3600,
"id_token":"eyJ4NXQjUzI1....f6JfWA"
}