Hybrid Flow

Applications that are able to securely store Client Secrets may benefit from the use of the Hybrid Flow (defined in section 3.3 of the OIDC spec), which allows your application to have immediate access to an ID token while still providing for secure and safe retrieval of access and refresh tokens. This can be useful in situations where your application needs to immediately access information about the user, but must perform some processing before gaining access to protected resources for an extended period of time.

How it works

Because the Hybrid Flow combines the standard Implicit Flow with Form Post and standard Authorization Code Flow, the steps are similar.

  1. The user clicks Login within the application.

  2. Your application redirects the user to the Auth0 Authorization Server (/authorize endpoint) passing along a response_type parameter that indicates the type of requested credential (ID Token and authorization code). It also passes along a response_mode parameter of form_post to ensure security.

  3. Your Auth0 Authorization Server redirects the user to the login and authorization prompt.

  4. The user authenticates using one of the configured login options and may see a consent page listing the permissions Auth0 will give to the application.

  5. Your Auth0 Authorization Server redirects the user back to the application with an authorization code, which is good for one use, plus an ID Token with claims, Authorization Token, or both depending on the requested response type.

  6. Your application sends the code to the Auth0 Authorization Server (/oauth/token endpoint) along with the application's Client ID and Client Secret.

  7. Your Auth0 Authorization Server verifies the code, Client ID, and Client Secret.

  8. Your Auth0 Authorization Server responds with a second ID Token and Access Token (and optionally, a Refresh Token).

  9. Your application can use the second Access Token to call an API to access information about the user.

  10. The API responds with requested data.

If your application only needs to use Hybrid Flow for sign-on, you will not need a Refresh Token or an Access Token, only an ID Token with claims.

How to implement it

You can follow our tutorial to use our API endpoints to Call Your API Using the Hybrid Flow.

Learn more