Characteristics of the Hybrid Flow

The characteristics of the Hybrid Flow is summarized in the following non-normative table, and the table is intended to give an overview 

Property Hybrid Flow
All tokens returned from the Authorization Endpoint no
All tokens returned from the Token Endpoint no
Tokens not revealed to User Agent no
Client can be authenticated yes
Refresh Token possible yes
Communication in one round trip no
Most communication server-to-server varies

It’s a combination of the authorization code and implicit code flows. You can spot it by looking at the response_type it must contain code and one or both of id_token and token:

 

The Hybrid Flow follows the following steps:

  1. Client prepares an Authentication Request containing the desired request parameters
  2. Client sends the request to the Authorization Server.
  3. Authorization Server Authenticates the End-User.
  4. Authorization Server obtains End-User Consent/Authorization.
  5. Authorization Server sends the End-User back to the Client with an Authorization Code 
  6. Client requests a response using the Authorization Code at the Token Endpoint
  7. Client receives a response that contains an ID Token and Access Token in the response body.
  8. Client validates the ID Token and retrieves the End-User's Subject Identifier.

 

This authentication flow is a combination of the implicit and authorization code flows. The identity token is transmitted via the browser channel and contains the signed protocol response along with other artifacts such as the authorization code. After successful validation of the response, the back channel is used to retrieve the access and refresh tokens.