OpenIDConnect Response Type Confusion
Your thoughts about Authorization Code Flow and Implicit Flow are right. But I think you are over-complicating the hybrid flow. When using hybrid you just simply can get both code and id_token.
After that, either you can grab code and exchange it for access token or just use the id_token (or access token) directly. Both approaches have their own flaws, especially in terms of security.
To understand the possible relationships between Response Types and Grant Types see IdentityServer4\Constants.cs
public static readonly Dictionary<string, string> ResponseTypeToGrantTypeMapping = new Dictionary<string, string>
{
{ OidcConstants.ResponseTypes.Code, GrantType.AuthorizationCode },
{ OidcConstants.ResponseTypes.Token, GrantType.Implicit },
{ OidcConstants.ResponseTypes.IdToken, GrantType.Implicit },
{ OidcConstants.ResponseTypes.IdTokenToken, GrantType.Implicit },
{ OidcConstants.ResponseTypes.CodeIdToken, GrantType.Hybrid },
{ OidcConstants.ResponseTypes.CodeToken, GrantType.Hybrid },
{ OidcConstants.ResponseTypes.CodeIdTokenToken, GrantType.Hybrid }
};
The following statements that you made are correct:
code
refers to the Authorization Codetoken
refers to an Access Token or (access_token
)- in the Authorization Code flow one switches the
code
for anaccess_token
But part of your confusion may originate from terminology mixup:
- the term Authorization flow is not entirely correct; its official name is Authorization Code flow
- the term Access Code does not exist
- the Implicit flow does not have an Authorization Code (nor Access code) in fact there's no credential (or grant) involved at all that allows the Client to get tokens from the Token endpoint, hence it's name
As @juanifioren pointed out, Hybrid flows combine things:
- the
code id_token
flow would get acode
andid_token
in the Authentication Response directly but you'd use thecode
to get anaccess_token
from the Token endpoint - the
code token
flow would get acode
andaccess_token
in the Authentication Response directly but you'd use thecode
to get anid_token
and possibly anotheraccess_token
in the backend from the Token endpoint - the
code id_token token
flow would get acode
,access_token
and anid_token
in the Authentication Response directly and you could use thecode
in the backend to get anotheraccess_token
from the Token endpoint
Getting an access_token
from the Token endpoint differs from getting it from the Authorization endpoint because the confidential clients authenticate themselves to the Token endpoint (and not to the Authorization endpoint). Hence the access_token
for the confidential part of the client might have more permissions and or a longer life.
See also a short thread on the spec mailing list on this topic: http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20150209/005229.html