Oauth / OpenID Flows: Hybrid


Version Affected:  IdP - All versions


The Hybrid flow allows an application to request an Authorization Code, Access Token and/or ID Token directly from the Authorization endpoint so can be fully handled via the Users Browser for the initial login or can use the code with the token endpoint.

Cause:  This KB outlines how to use the Hybrid flow



This is an example of the query string used for the Hybrid flow



(line breaks added for easier viewing)

1. Replace youridp.secureauth.com with the FQDN of your SecureAuth server

2. Replace secureauth8 with your Oauth realm

3. Replace the YourClientID with your Client ID

4. Replace the redirect_uri with your redirect uri

5. OpenID is required as a scope, you can have more

6. Nonce is required. 

 The valid response_types for this are




Writing the response type in a different order will cause an error. 


SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

0 out of 0 found this helpful



Please sign in to leave a comment.