Using the Hybrid Flow with OpenID Connect
Use the Hybrid flow when you want to obtain tokens separately from both the front channel and the back channel. For example, you have a browser component like JavaScript and a backend server component such as Node.js. The browser component obtains the Authorization Code and the ID Token and can then personalize the UI content. The backend component obtains the Access Token to perform business API calls.
Clients need to support both browser-based requests and responses and programmatic/back-channel requests and responses to use the Hybrid flow. The Hybrid flow works with both Confidential Clients and Public Clients. The following response_type
values are supported with the Hybrid flow:
-
code id_token
(ID Token) -
code token
(Access Token) -
code id_token token
(Authorization Code, ID Token, and Access Token)
Obtaining an ID Token
-
Request the Authorization Code and the ID Token.
Request Example
https://tenant-base-url/oauth2/v1/authorize?client_id=<client_id>&response_type=code id_token&redirect_uri=<client_redirect_uri>&scope=http://tenant-base-url/test+openid+offline_access&nonce=abcdefghijk
-
User logs in and gives consent (based on the requested scopes).
-
Response with ID Token and Authorization Code.
Response Example
Note:
All response parameters are added to the fragment component of the redirection URI.http://tenant-base-url/#code=AQIDBAUrAi0l....F9NCA=&id_token=eyJ4NXQjUzI1....3R8b_Q
-
The client application makes use of the Authorization Code and makes a back channel request to obtain a new Access Token and Refresh Tokens.
Request Example
curl -i -H 'Authorization: Basic YjA3NTZkNDc5M2QwNDZjNjhjZWVmY2UxZjE4ZGUwMWM6NGYzZjJjN2EtZTBjZC00NzcyLWE5MTYtNjI3ZmExNzA2NWE5' -H 'Accept: */*' --request POST 'https://tenant-base-url/oauth2/v1/token' -d 'grant_type=authorization_code&code=AQIDBAUrAi0l???.CA%3D'
Response Example
{ "access_token":"eyJ4NXQjUzI1....sJ5mCw", "token_type":"Bearer", "expires_in":3600, "refresh_token":"AQIDBAUwxxoC....tZLvA" }
Obtaining an Access Token
There are four steps in the Hybrid flow to obtain the Authorization Code and the Access Token:
-
Request the Authorization Code and the Access Token.
Request Example
https://tenant-base-url/oauth2/v1/authorize?client_id=<client_id>&response_type=code token&redirect_uri=<client_redirect_uri>&scope=http://tenant-base-url/test
-
User logs in and gives consent (based on the requested scopes).
-
Response with ID Token and Authorization Code.
Response Example
Note:
All response parameters are added to the fragment component of the redirection URI.http://tenant-base-url/#access_token=eyJ4NXQjUzI1....Pudw9A&code=AQIDBAU6d6Ae....F9NCA=&token_type=Bearer&expires_in=3600
-
The client application makes use of the Authorization Code and makes a back channel request to obtain a new Access Token.
Request Examplecurl -i -H 'Authorization: Basic YjA3NTZkNDc5M2QwNDZjNjhjZWVmY2UxZjE4ZGUwMWM6NGYzZjJjN2EtZTBjZC00NzcyLWE5MTYtNjI3ZmExNzA2NWE5' -H 'Accept: */*'' --request POST 'https://tenant-base-url/oauth2/v1/token' -d 'grant_type=authorization_code&code=AQIDBAU6d6Ae...NCA%3D'
Response Example
{ "access_token":"eyJ4NXQjUzI1....Tgs9LA", "token_type":"Bearer", "expires_in":3600 }
Obtaining an ID Token and an Access Token
-
Request the Authorization Code and the ID Token.
Request Examplehttps://tenant-base-url/oauth2/v1/authorize?client_id=client_id&response_type=code id_token token&redirect_uri=client_redirect_uri&scope=http://tenant-base-url/test+openid&nonce=abcdaer
-
User logs in and gives consent (based on the requested scopes).
-
Response with ID Token and Access Token.
Response ExampleNote:
All response parameters are added to the fragment component of the redirection URI.http://tenant-base-url/#access_token=eyJ4NXQjUzI1....sDB7lA&code=AQIDBAVxZzy-....F9NCA=&id_token=eyJ4NXQjUzI1....&token_type=Bearer&expires_in=36004
-
The client application makes use of the Authorization Code and makes a back channel request to obtain a new Access Token.
Request Examplecurl -i -H 'Authorization: Basic YjA3NTZkNDc5M2QwNDZjNjhjZWVmY2UxZjE4ZGUwMWM6NGYzZjJjN2EtZTBjZC00NzcyLWE5MTYtNjI3ZmExNzA2NWE5' -H 'Accept: */*' ?request POST 'https://tenant-base-url/oauth2/v1/token' -d 'grant_type=authorization_code&code=AQIDBAXUbLmS???.NCA%3D'
Response Example
{ "access_token":"eyJ4NXQjUzI1....g52XmQ", "token_type":"Bearer", "expires_in":3600, "id_token":"eyJ4NXQjUzI1....f6JfWA" }