Now let’s look at the authentication flows available in OpenID Connect, and how ID tokens and user information are exchanged.
OpenID Connect defines 3 authentication flows:
Authorization Code flow
The Authorization Code and Implicit OpenID Connect flows are based on the OAuth flow with the same name. The main difference between the OpenID Connect and OAuth counterparts is that an ID token is issued in the OIDC flows. If the implicit OAuth flow is best suited for your application, you can assume that the Implicit OIDC flow is also the best choice. Similarly for the authorization code flows.
In this illustration, application I users the implicit flow while application A uses the authorization code flow.
The Hybrid flow is a combination of the authorization code and implicit flow. In this flow, the client can request ID tokens, access tokens, or both from the authorization endpoint, along with an authorization code.
- The code can be exchanged at the token endpoint for the remaining tokens. This is useful in situations such as single sign-on, where the partner application needs to immediately use an identity token to access the user’s identity.
- The code is used to request access and the refresh token to get long-lived access to resources.
The hybrid flow offers more flexibility with this token flow, but it’s less secure than the authorization code flow because some tokens are exposed directly to the user agent.