Version Affected: IdP - All versions
Description:
The Hybrid flow allows an application to request an Authorization Code, Access Token and/or ID Token directly from the Authorization endpoint so can be fully handled via the Users Browser for the initial login or can use the code with the token endpoint.
Cause: This KB outlines how to use the Hybrid flow
Resolution:
This is an example of the query string used for the Hybrid flow
https://youridp.secureauth.com/secureauth8/?response_type=code+id_token&client_id=YourClientID
(line breaks added for easier viewing)
1. Replace youridp.secureauth.com with the FQDN of your SecureAuth server
2. Replace secureauth8 with your Oauth realm
3. Replace the YourClientID with your Client ID
4. Replace the redirect_uri with your redirect uri
5. OpenID is required as a scope, you can have more
6. Nonce is required.
The valid response_types for this are
response_type=code+id_token
response_type=code+id_token+token
response_type=code+token
Special Considerations:
Writing the response type in a different order will cause an error.
Postman occasionally change their callback addresses so the above example will become outdated.
The current call back is https://postman-echo.com/oauth2/callback
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Why does Hybrid flow send the code as a url fragment separated by # while the Authorziation Code flow send as query parameter?
Hybrid flow:
http://localhost:8080/login#code=DzPggOYJDat8xZ
Authorization Grant type:
http://localhost:8080/login?code=1hvQaxdGJQf5Bqr3RW0
Hello Akhilesh,
Good Question. We follow the standards here https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthResponse as you can see, they recommend the #
It's more obviously called out here "When using the Implicit Flow, all response parameters are added to the fragment component of the Redirection URI" but Hybrid follows the same rules as Implicit so it applies to Hybrid too.
Please sign in to leave a comment.