I've spend the last few days reading through all the specs with regards to OAuth2 and OpenIDConnect and implementing a test client using Thinktecture Identity Server. I've also followed several pluralsight courses and I think understand the main gist of it. However i'm still extremely confused about the Response Types.
OpenIDConnect spec specifies that the Hybrid flow response types are a combination of "code", "id_token" and "token". I understand the "id_token" allows us to get access to basic id information initially.
I also understand code" refers to the authorization code and "token" refers to an access token and combining "code" with one or both of the other two triggers the flow but my understanding was that you swap an authorization code for an access token in the Authorization flow, while the Implicit flow supplies the Access Code implicitly?
Could someone clear up my confusion?
The following statements that you made are correct:
code
refers to the Authorization Codetoken
refers to an Access Token or (access_token
)code
for an access_token
But part of your confusion may originate from terminology mixup:
As @juanifioren pointed out, Hybrid flows combine things:
code id_token
flow would get a code
and id_token
in the Authentication Response directly but you'd use the code
to get an access_token
from the Token endpointcode token
flow would get a code
and access_token
in the Authentication Response directly but you'd use the code
to get an id_token
and possibly another access_token
in the backend from the Token endpointcode id_token token
flow would get a code
, access_token
and an id_token
in the Authentication Response directly and you could use the code
in the backend to get another access_token
from the Token endpointGetting an access_token
from the Token endpoint differs from getting it from the Authorization endpoint because the confidential clients authenticate themselves to the Token endpoint (and not to the Authorization endpoint). Hence the access_token
for the confidential part of the client might have more permissions and or a longer life.
See also a short thread on the spec mailing list on this topic: http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20150209/005229.html