Reputation: 41992
Open ID Connect Multiple response types
With Open ID Connect, what is the value of the code id_token token response type when using the hybrid flow?
This returns a response containing an authorisation code, identity token and access token. Given you already have the access token in the response, the authorisation code is redundant?
Upvotes: 2
Views: 146
Answers (2)
Reputation: 13059
Answer for this can vary on the exact implementation. This is justifiable by what OpenID Connect specification mentions in the protocol document.
There is a dedicated token endpoint explanation given under Hybrid flow. According to that,
When using the Hybrid Flow, the contents of an ID Token returned from the Token Endpoint are the same as for an ID Token returned from the Authorization Endpoint
There are few exceptions like,
- Omitting
at_hashandc_hashClaims in Id token from token endpoint - Restricted (limited) claims in Id token from authorization endpoints
Now that second one is implementation specific. So you might find few differences or you may see them as identical.
Unless you have special requirement, I recommend to stick with authorization code flow. It is more secure and even OAuth working group suggests not to obtain tokens from authorization response (i.e - Implicit flow).
Upvotes: 0
Reputation: 3185
You can get a refresh token at the token endpoint using the authorization code.
Upvotes: 1
Related Questions
- OpenIDConnect Response Type Confusion
- grant_type vs response_type in OAuth2.0/OIDC
- OIDC response_mode= form_post
- Open Identity and OAuth
- response_type and grant_type in OAuth2.0/OIDC specifications
- How to set oidc ResponseType to get both claims and access_token?
- OpenID Connect: Is it an error to request scope openid with response_type token
- IdentityServer3 rejecting responsetypes that appear in openid "wellknown" configuration
- Open ID 2.0 and Open ID Connect
- OpenID connect implicit flow response