Hybrid Flow:

The Hybrid Flow follows the following steps:

• Client prepares an Authentication Request containing the desired request parameters.

• Client sends the request to the Authorization Server.

• Authorization Server Authenticates the End-User.

• Authorization Server obtains End-User Consent/Authorization.

• Authorization Server sends the End-User back to the Client with an Authorization Code and, depending on the Response Type, one or more additional parameters.

• Client requests a response using the Authorization Code at the Token Endpoint .

• Client receives a response that contains an ID Token and Access Token in the response body.

• Client validates the ID Token and retrieves the End-User's Subject Identifier.

Authentication Request:

GET /authz-srv/authz?
    response_type=code%20id_token
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fsamplecreative.com
    &scope=openid%20profile%20email
    &nonce=n-0S6_WzA2Mj
    &state=af0ifjsldkj HTTP/1.1
  Host: samplecreative.com

response_type REQUIRED. OAuth 2.0 Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Hybrid Flow, this value is code id_token, code token, or code id_token token.

Authentication Response:

HTTP/1.1 302 Found
  Location: https://samplecreative.com
    code=SplxlOBeZQQYbYS6WxSbIA
    &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
    &state=af0ifjsldkj

access_token OAuth 2.0 Access Token. This is returned when the response_type value used is code token, or code id_token token. (A token_type value is also returned in the same cases.)

id_token ID Token. This is returned when the response_type value used is code id_token or code id_token token.

code Authorization Code. This is always returned when using the Hybrid Flow.

Multiple-Valued Response Type Combinations:

This section defines combinations of the values code, token, and id_token, which are each individually registered Response Types.

code token

When supplied as the value for the response_type parameter, a successful response MUST include an Access Token, an Access Token Type, and an Authorization Code. The default Response Mode for this Response Type is the fragment encoding and the query encoding MUST NOT be used. Both successful and error responses SHOULD be returned using the supplied Response Mode, or if none is supplied, using the default Response Mode.

code id_token

When supplied as the value for the response_type parameter, a successful response MUST include both an Authorization Code and an id_token. The default Response Mode for this Response Type is the fragment encoding and the query encoding MUST NOT be used. Both successful and error responses SHOULD be returned using the supplied Response Mode, or if none is supplied, using the default Response Mode.

id_token token

When supplied as the value for the response_type parameter, a successful response MUST include an Access Token, an Access Token Type, and an id_token. The default Response Mode for this Response Type is the fragment encoding and the query encoding MUST NOT be used. Both successful and error responses SHOULD be returned using the supplied Response Mode, or if none is supplied, using the default Response Mode.

code id_token token When supplied as the value for the response_type parameter, a successful response MUST include an Authorization Code, an id_token, an Access Token, and an Access Token Type. The default Response Mode for this Response Type is the fragment encoding and the query encoding MUST NOT be used. Both successful and error responses SHOULD be returned using the supplied Response Mode, or if none is supplied, using the default Response Mode.

For all these Response Types, the request MAY include a state parameter, and if so, the Authorization Server MUST echo its value as a response parameter when issuing either a successful response or an error response.

A non-normative request/response example as issued/received by the User Agent (with extra line breaks for display purposes only) is:

  GET / authz-srv/authz?
    response_type=id_token%20token
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fsamplecreative.com
    &state=af0ifjsldkj HTTP/1.1

  Host: samplecreative.com
  HTTP/1.1 302 Found
  Location: https://samplecreative.com
  access_token=SlAV32hkKG
  &token_type=bearer
  &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
  &expires_in=3600
  &state=af0ifjsldkj

After getting Access_token or id_token through to access the secured api from the authorization server.

Example Accessing User Information:

Simply include the token in the authorization header using the Bearer schema.

GET /users-srv/userinfo HTTP/1.1
Host: sampleeshop.cidaas.de
Authorization: Bearer Gp7b5hiURKpWzEXgMJP38EnYimgxlBC1PpS2zGXUqe

Response:
HTTP/1.1 200 OK 
Content-Type:application/json{  
   "sub":"248289761001",
   "name":"david jhonson",
   "given_name":"david",
   "family_name":”jhonson",
   "preferred_username":"david",
   "email":"[email protected]",
   "picture":http://samplecreative.com/davidjhonson/avt.jpg,
ect….
}

OAuth 2.0 Form Post Response Mode

Authorization Response parameters are encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client, with the result parameters being encoded in the body using the application/x-www-form-urlencoded format.

This specification defines the Form Post Response Mode, which is described with its response_mode parameter value:

form_post

In this mode, Authorization Response parameters are encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client, with the result parameters being encoded in the body using the application/x-www-form-urlencoded format. The action attribute of the form MUST be the Client's Redirection URI. The method of the form attribute MUST be POST. Because the Authorization Response is intended to be used only once, the Authorization Server MUST instruct the User Agent (and any intermediaries) not to store or reuse the content of the response.

Any technique supported by the User Agent MAY be used to cause the submission of the form, and any form content necessary to support this MAY be included, such as submit controls and client-side scripting commands. However, the Client MUST be able to process the message without regard for the mechanism by which the form submission was initiated.

Authorization Request to the Authorization Endpoint:
  GET /authz-srv/authz?
   response_type=id_token
   &response_mode=form_post
   &client_id=some_client
   &scope=openid
   &redirect_uri=https%3A%2F%2Fsamplecreative.%2Fcallback
   &state=DcP7csa3hMlvybERqcieLHrRzKBra
   &nonce=2T1AgaeRTGTMAJyeDMN9IJbgiUG HTTP/1.1
  Host: samplecreative.com
After authentication and approval by the End-User, the Authorization Server issues the Authorization Response:
  HTTP/1.1 200 OK
  Content-Type: text/html;charset=UTF-8
  Cache-Control: no-cache, no-store
  Pragma: no-cache

  <html>
   <head><title>Submit This Form</title></head>
   <body onload="javascript:document.forms[0].submit()">
    <form method="post" action="https://samplecreative.com/callback">
      <input type="hidden" name="state"
       value="DcP7csa3hM2353sdgdffg34gRzKBra"/>
      <input type="hidden" name="id_token"
       value="eyJhbGciOiJSUzI1NiIsImt....."/>
    </form>
   </body>
  </html>