This use case demonstrates the different steps required to execute an OIDC hybrid flow with user interactions.
Since the OIDC hybrid flow extends the authorization code flow, this example is very similar to Authorization code flow usage.
The OIDC hybrid flow is set up in the authorization server (here IAM) and the relying party is already registered through dynamic client registration (client credentials grant usage example) or configured as a static client in the configuration (Configuration of IAM as OAuth Authorization Server / OpenID Provider
To start the hybrid code flow, open a browser window and enter the following URL:
Example URL to start a hybrid flow:
https://oidc.airlock.com/auth-login/oauth2/v3/myAS/authorize?
response_type=code+id_token+token &redirect_uri=https://oidc.airlock.com/application/demo
&client_id=oidc-client
&state=ee26b0dd4a...28a8ff
&nonce=n-0S6_WzA2Mj
&scope=employee%20openid
response_type must include the id_token and/or token part. It tells the AS to send back an additional ID and/or access token. If neither of the two is specified, an OIDC authorization code flow is started instead. Note that the nonce parameter is mandatory if an ID token is requested.redirect_uri must be present in the request.redirect_uri must be on the list of redirect_uris registered during client registration.client_id must be present.openid must be present.redirect_url must be URL encoded.If one of the conditions is not met, the authorization server returns an error message.
Submitting the state parameter is not required by the standard, but it is strongly recommended to protect against CSRF.
Airlock IAM will present a login screen:
... and optionally ask for consent:
If both authentication and consent grants have succeeded, Airlock IAM redirects the browser to the redirect_uri requested in Step 1.
Redirect URL after starting hybrid code flow and authentication
https://oidc.airlock.com/application/demo# code=xRbH9uoaMMWB6urmWsg8b1xwJQF~JfD2s9CoUvwVWX42YxBwqfeC2RVWeG1HkvkdtxHz
&id_token=eyJ0...Zxo
&access_token=YL3x...ytP
&token_type=bearer
&expires_in=1234
&state=ee26b0dd4a...28a8ffCompared to the OIDC authorization code flow, an additional ID token and access token are sent to the browser directly with the authorization code.
The code and the tokens are passed as a fragment rather than a query string (using # instead of ? in the URL). This is because the ID and access tokens are meant to be extracted by the web browser (or mobile app) and should not be sent to the RP (client).
Using a fragment (#) is the default behavior.
The Airlock IAM configuration allows changing the default to send the tokens and the code as query or form post parameters. This may be required user agent or the relying party.
See Advanced Settings in the hybrid flow configuration for further information.
The browser (or mobile app) may now examine and use the ID and access token and then sends the authorization code to the RP (client).
The relying party (client) receives the authorization code and sends it to the AS to get the ID, access, and refresh tokens. Note that the following request is not sent by the browser but by the relying party.
Token endpoint request
https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/token
application/x-www-form-urlencodedBasic dXNlcm5hbWU6cGFzc3dvcmQgrant_type=authorization_codecode=xRbH9uoaMMWB6urmWsg8b1xwJQF~JfD2s9CoUvwVWX42YxBwqfeC2RVWeG1HkvkdtxHzredirect_uri=https://oidc.airlock.com/application/demoIt is recommended to configure the authorization server, to enforce authentication on the token endpoint.
The authorization server will respond as follows:
Code Block token endpoint response
200 OK
{
"access_token": "eyJraWQiOiI3YWRmMz...E9nfs7YyJZdRFP",
"scope": "email",
"id_token": "eyJraWQiOiI3YWRmMzgp74...Ex86vUkyMGqxQg",
"token_type": "bearer",
"expires_in": 17999
}