OIDC Hybrid Flow

Combines Authorization Code and Implicit flows (OIDC Core §3.3). Returns ID Token immediately for fast identity verification while authorization code is exchanged securely server-side. Useful when client needs identity before backend token exchange completes.

Try in Looking Glass
ID Token

Sequence Diagram

Click any step for details

ClientAuth ServerUser1Authentication Request2User Authentication & Consent3Hybrid Response with Hash Claims4Validate ID Token with Hash Claims5Token Exchange (Backend)6Token Response
Request
Response
Redirect
Internal

Step-by-Step Breakdown

1
Authentication Request
ClientOpenID Provider
2
User Authentication & Consent
UserOpenID Provider
3
Hybrid Response with Hash Claims
OpenID ProviderClient
4
Validate ID Token with Hash Claims
ClientClient
5
Token Exchange (Backend)
ClientOpenID Provider
6
Token Response
OpenID ProviderClient

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.

Core specs

· The specifications that define this protocol.