Reputation: 2283
What is the use of two id/access tokens (from authorize and token endpoints) received in Hybrid flow/grant?
In Hybrid Flow/Grant -
response_type = code token id_token
In this case, the client receives id_token & access_token 2 times:
1) From /authorize endpoint (along with code)
2) From /token endpoint (exchanges code for token)
I read in few sites that these tokens, received twice, may not be same always. What is the use of receiving tokens twice? How are they used? Isn't just getting the code from authorize endpoint and exchange it with token endpoint for tokens enough (i.e., Authorization code flow)?
Upvotes: 0
Views: 105
Answers (1)
Reputation: 53928
I'm afraid this is not a widely understood or agreed on part of the spec. One may argue that receiving tokens from a backchannel is inherently more secure thus there's a security and assurance advantage over getting them in the front channel. I don't think anyone has presented a compelling use case though for also receiving tokens in the front channel in the same flow.
Upvotes: 1
Related Questions
- Clarification on id_token vs access_token
- In OpenID Connect, what's the purpose of "code id_token" hybrid workflow when "code" flow does the same thing more securely?
- Still struggling to understand Id Token vs Access Token in OIDC / OAUTH2.0
- When would I use a Hybrid flow with response_type=code id_token token in OpenID Connect?
- Purpose of ID token
- How do OpenId Connect's id token feed into a subsequent OAuth2 flow for authorizing access on another resource?
- In OpenID Connect's hybrid flow, what is the purpose of the 'code' parameter if you can request an access_token?
- What is the OpenID Connect access token for?
- What is the use of openid id_token
- why there is two tokens Access and ID in OpenID Connect