OIDC Code Flows

OpenID Connect authentication requests can follow one of three paths:

  • Authorization Code Flow,
  • Implicit Flow,
  • Hybrid Flow,

The Authorization Code Flow is intended for clients that can securely maintain a client secret between themselves and the Authorization Server, whereas the Implicit Flow is intended for clients that cannot. However, the Authorization Code Flow is sometimes also used by native applications and other clients in order to be able to obtain a refresh token, even when they cannot ensure the secrecy of the client secret value. The Hybrid flow combines aspects of the Authorization Code flow and the Implicit flow. It enables clients to obtain an ID token and optionally an access token with only one round trip to the authorization server, possibly minimizing latency, while still enabling clients to later get tokens from the token endpoint. For more information about OpenID Connect, please refer to the OIDC Basic Client Implementer's Guide.

Various library implementations can be found here.

Regardless of the Code Flow choice, the first four steps are always the same. The difference between the various available flows is how the Authorization Server sends the End-User back to the Client and how the Client requests and/or validates the tokens.

Authorization Code Flow

The Authorization Code Flow goes through the following steps:

  1. Client prepares an Authentication Request containing the desired request parameters.
  2. Client sends the request to the Authorization Server.
  3. Authorization Server Authenticates the End-User.
  4. Authorization Server obtains End-User Consent/Authorization.
  5. Authorization Server sends the End-User back to the Client with an Authorization Code.
  6. Client requests a response using the Authorization Code at the Token Endpoint.
  7. Client receives a response that contains an ID Token and Access Token in the response body.
  8. Client validates the ID token and retrieves the End-User's Subject Identifier.

Authorization Code Flow Diagram

Authorization Code Flow Diagram

Implicit Code Flow

The Implicit Flow follows the following steps:

  1. Client prepares an Authentication Request containing the desired request parameters.
  2. Client sends the request to the Authorization Server.
  3. Authorization Server Authenticates the End-User.
  4. Authorization Server obtains End-User Consent/Authorization.
  5. Authorization Server sends the End-User back to the Client with an ID Token and, if requested, an Access Token.
  6. Client validates the ID token and retrieves the End-User's Subject Identifier.

Implicit Code Flow Diagram

Implicit Code Flow Diagram

Hybrid Code Flow

The Hybrid Flow follows the following steps:

  1. Client prepares an Authentication Request containing the desired request parameters.
  2. Client sends the request to the Authorization Server.
  3. Authorization Server Authenticates the End-User.
  4. Authorization Server obtains End-User Consent/Authorization.
  5. Authorization Server sends the End-User back to the Client with an Authorization Code and, depending on the Response Type, one or more additional parameters.
  6. Client requests a response using the Authorization Code at the Token Endpoint.
  7. Client receives a response that contains an ID Token and Access Token in the response body.
  8. Client validates the ID Token and retrieves the End-User's Subject Identifier.

Hybrid Code Flow Diagram

Hybrid Code Flow Diagram