Applications that are able to securely store Client Credentials may benefit from the use of the Hybrid Flow (defined in the OpenID Connect specification, section 3.3). The Hybrid flow allows your application to have immediate access to an ID token while ensuring secure and safe retrieval of access tokens and refresh tokens. This can be useful in situations where your application needs to immediately access information about the user, but must perform some processing before gaining access to protected resources for an extended period of time.
How it works
User selects Login within application.
Application redirects user to Auth0 Authorization Server (
/authorizeendpoint), passing along
response_typeparameter indicating type of requested credential (ID token and authorization code), and
form_postto ensure security.
Auth0 Authorization Server redirects user to login and authorization prompt.
User authenticates using one of the configured login options, and may see a consent prompt listing the permissions Auth0 will give to the application.
Auth0 Authorization Server redirects user back to application with single-use authorization code, and ID token, access token, or both, depending on provided
Application sends authorization code, application's client ID, and application's credentials, such as Client Secret or Private Key JWT, to Auth0 Authorization Server (
Auth0 Authorization Server verifies authorization code, application's client ID, and application's credentials.
Auth0 Authorization Server responds with second ID token and access token (and optionally, a refresh token).
Application can use second access token to call an API to access information about user.
API responds with requested data.
How to implement it
You can follow our tutorial to use the Authentication API to Call Your API Using the Hybrid Flow.