OIDC Hybrid Flow
Combines Authorization Code and Implicit flows (OIDC Core §3.3). Returns ID Token immediately for fast identity verification while authorization code is exchanged securely server-side. Useful when client needs identity before backend token exchange completes.
OIDC Hybrid Flow
Combines Authorization Code and Implicit flows (OIDC Core §3.3). Returns ID Token immediately for fast identity verification while authorization code is exchanged securely server-side. Useful when client needs identity before backend token exchange completes.
ID Token
Sequence Diagram
Click any step for details
Request
Response
Redirect
Internal
Step-by-Step Breakdown
1
Authentication Request
Client → OpenID Provider
2
User Authentication & Consent
User → OpenID Provider
3
Hybrid Response with Hash Claims
OpenID Provider → Client
4
Validate ID Token with Hash Claims
Client → Client
5
Token Exchange (Backend)
Client → OpenID Provider
6
Token Response
OpenID Provider → Client
Token Inspector
Specs for this flow
Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.