Oauth / OpenID Flows: Hybrid

    Applies to:
Deployment model:
  • Hybrid
  • On Premises
  • Version Affected:  IdP - All versions


    The Hybrid flow allows an application to request an Authorization Code, Access Token and/or ID Token directly from the Authorization endpoint so can be fully handled via the Users Browser for the initial login or can use the code with the token endpoint.

    Cause:  This KB outlines how to use the Hybrid flow



    This is an example of the query string used for the Hybrid flow



    (line breaks added for easier viewing)

    1. Replace youridp.secureauth.com with the FQDN of your SecureAuth server

    2. Replace secureauth8 with your Oauth realm

    3. Replace the YourClientID with your Client ID

    4. Replace the redirect_uri with your redirect uri

    5. OpenID is required as a scope, you can have more

    6. Nonce is required. 

     The valid response_types for this are





    Special Considerations:

    Writing the response type in a different order will cause an error. 

    Postman occasionally change their callback addresses so the above example will become outdated.

    The current call back is  https://postman-echo.com/oauth2/callback

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful


    • Why does Hybrid flow send the code as a url fragment separated by # while the Authorziation Code flow send as query parameter?

      Hybrid flow:

      Authorization Grant type:

      Comment actions Permalink
    • Hello Akhilesh,
      Good Question. We follow the standards here https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthResponse as you can see, they recommend the #

      It's more obviously called out here "When using the Implicit Flow, all response parameters are added to the fragment component of the Redirection URI" but Hybrid follows the same rules as Implicit so it applies to Hybrid too.

      Comment actions Permalink

    Please sign in to leave a comment.