Flow types (OAuth/OIDC)

What are flow types?

The flow type dictates how authentication is handled by the Identity Provider. It includes what is sent to a client application and how. 

There are three flow types:

  • Authorization Code Flow
  • Implicit Flow
  • Hybrid Flow (OpenID Connect Only)

Authorization Code Flow

This is the most commonly known flow type.

The authorization code flow returns an authorization code that can then be exchanged for an identity token and/or access token.  This flow obtains the authorization code from the authorization endpoint and all tokens (access_token (OAuth) and id_token (OIDC))  are returned from the token endpoint.

It requires client authentication using a client id and secret to retrieve the tokens from the back-end and has the benefit of not exposing tokens to the user agent (i.e. browser). 

This flow allows for long lived access (through the use of refresh tokens). Clients using this flow must be able to maintain a secret.

Implicit Flow

The implicit flow requests tokens without explicit client authentication, instead using the redirect URI to verify the Service Provider's identity.  This flow obtains all tokens (access_token and id_token) from the authorization endpoint.  It is also a lot less secure than the Authorization Code Flow. 

This flow is used for client-side web applications (eg. JavaScript clients) that need temporary access to the user’s data.  

Refresh tokens are not allowed (short-lived authentication only).

From the Service Provider's point of view, this is the simplest to implement, as there is only one round trip to the Identity Provider.

Hybrid Flow

The Hybrid flow is only available in OpenIDConnect.

It is a combination of the previous two flows. 

This flow allows the Service Provider to request a token (access token and id_token) directly from the Authorization Endpoint, and also receives an authorization code .

This authorization code can be used for long lived access (refresh token). Service Providers using this flow must be able to maintain a secret.

Note: in the IDHub application, the authorization code is ignored

Flow Type behavior (IDHub)

Flow Type OAuth OpenID
Authorization Code 1. IDP provides an authorization code.

2. The authorization code is used to get an access Token which authorizes the client.

3. Claims are requested separately via the UserInfo Endpoint.
1. IDP provides an authorization code.

2. The authorization code is used to get an ID Token (which also contains the claims)
Hybrid Not available in OAuth 1. IDP provides an access token and an ID token.

2. All information and claims are retrieved from the ID token.
Implicit 1. IDP provides an access token.

2. Claims can be requested via the UserInfo Endpoint, by presenting the access token.
1. IDP provides an access token.

2. Claims can be requested via the UserInfo Endpoint, by presenting the access token.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.