In OpenID Connect's hybrid flow, what is the purpose of the 'code' parameter if you can request an access_token?

Question

From what I understand about authorization code flow in OpenID Connect and OAuth 2, the code parameter that is returned to the relying party from the authorize endpoint is supposed to be exchanged in a subsequent request for an access_token. However, in hybrid flow you can request a code, access_token and an id_token to be returned from the authorize endpoint. So why would you ever need the code parameter if you already have an access_token?

Answer 1

I can think of two reasons at least, both having to do with the client being able to authenticate to the token endpoint, but not the authorization endpoint:

• You will usually only be able to receive a refresh_token from the token endpoint, not the authorization endpoint. Hence if you need that, then you'd exchange the code first.
• The provider may choose (or be configured) to return less or a minimal claims set in the ID Token that is returned from the authorization endpoint, and further information in the ID Token from the token endpoint or via the UserInfo endpoint. I don't think it is recommended to send sensitive claims from the authorization endpoint directly.