Applications that are able to securely store Client Secrets may benefit from the use of the Hybrid Flow (defined in section 3.3 of the OIDC spec), which allows your application to have immediate access to an ID token while still providing for secure and safe retrieval of access and refresh tokens. This can be useful in situations where your application needs to immediately access information about the user, but must perform some processing before gaining access to protected resources for an extended period of time.
How it works
The user clicks Login within the application.
Your application redirects the user to the Auth0 Authorization Server (
/authorizeendpoint) passing along a
response_typeparameter that indicates the type of requested credential (ID Token and authorization code). It also passes along a
form_postto ensure security.
Your Auth0 Authorization Server redirects the user to the login and authorization prompt.
The user authenticates using one of the configured login options and may see a consent page listing the permissions Auth0 will give to the application.
Your Auth0 Authorization Server redirects the user back to the application with an authorization
code, which is good for one use, plus an ID Token with claims, Authorization Token, or both depending on the requested response type.
Your application sends the
codeto the Auth0 Authorization Server (/oauth/token endpoint) along with the application's Client ID and Client Secret.
Your Auth0 Authorization Server verifies the code, Client ID, and Client Secret.
Your Auth0 Authorization Server responds with a second ID Token and Access Token (and optionally, a Refresh Token).
Your application can use the second Access Token to call an API to access information about the user.
The API responds with requested data.
How to implement it
You can follow our tutorial to use our API endpoints to Call Your API Using the Hybrid Flow.