The characteristics of the Hybrid Flow is summarized in the following non-normative table, and the table is intended to give an overview
|All tokens returned from the Authorization Endpoint||no|
|All tokens returned from the Token Endpoint||no|
|Tokens not revealed to User Agent||no|
|Client can be authenticated||yes|
|Refresh Token possible||yes|
|Communication in one round trip||no|
|Most communication server-to-server||varies|
It’s a combination of the authorization code and implicit code flows. You can spot it by looking at the
response_type it must contain
code and one or both of
The Hybrid Flow follows the following steps:
- Client prepares an Authentication Request containing the desired request parameters
- Client sends the request to the Authorization Server.
- Authorization Server Authenticates the End-User.
- Authorization Server obtains End-User Consent/Authorization.
- Authorization Server sends the End-User back to the Client with an Authorization Code
- Client requests a response using the Authorization Code at the Token Endpoint
- Client receives a response that contains an ID Token and Access Token in the response body.
- Client validates the ID Token and retrieves the End-User's Subject Identifier.