Hybrid Flow
Applications that are able to securely store Client Credentials may benefit from the use of the Hybrid Flow (defined in the OpenID Connect specification, section 3.3). The Hybrid flow allows your application to have immediate access to an ID token while ensuring secure and safe retrieval of access tokens and refresh tokens. This can be useful in situations where your application needs to immediately access information about the user, but must perform some processing before gaining access to protected resources for an extended period of time.
How it works
The Hybrid Flow combines steps from the Implicit Flow with Form Post and Authorization Code Flow:
User selects Login within application.
Application redirects user to Auth0 Authorization Server (
/authorize
endpoint), passing alongresponse_type
parameter indicating type of requested credential (ID token and authorization code), andresponse_mode
parameter ofform_post
to ensure security.Auth0 Authorization Server redirects user to login and authorization prompt.
User authenticates using one of the configured login options, and may see a consent prompt listing the permissions Auth0 will give to the application.
Auth0 Authorization Server redirects user back to application with single-use authorization code, and ID token, access token, or both, depending on provided
response_type
.Application sends authorization code, application's client ID, and application's credentials, such as Client Secret or Private Key JWT, to Auth0 Authorization Server (
/oauth/token
endpoint).Auth0 Authorization Server verifies authorization code, application's client ID, and application's credentials.
Auth0 Authorization Server responds with second ID token and access token (and optionally, a refresh token).
Application can use second access token to call an API to access information about user.
API responds with requested data.
How to implement it
You can follow our tutorial to use the Authentication API to Call Your API Using the Hybrid Flow.