[Openid-specs-ab] OpenID query - Hybrid Flow Authentication

Thomas Broyer t.broyer at gmail.com
Thu Mar 7 14:10:45 UTC 2019


[back to list]

On Thu, Mar 7, 2019 at 2:53 PM Nughmman Butt <nughmman.butt at gmail.com>
wrote:

> With the hybrid scheme my current understanding is that an authorization
> code is returned when the response_type is code token.
>
> If this is the case what steps are followed by the client to validate the
> authorization code?
>

Section 3.3.2.10 is only checking the authorization code against the ID
Token returned by the Authorization Endpoint, but with "code token", you
don't have an ID Token (btw, step 4 of 3.3.2.8 should only list "code
id_token token", not "code token", for this reason).
With "code token", you'd "validate" de authorization code the same way as
with the Authorization Code flow: by sending it to the Token Endpoint.
You'll then have an ID Token in the response, in which there might be a
c_hash to validate the authorization code against, and/or an at_hash for
the access token; this is covered in section 3.3.3.6.


> Rgds
> Nughmman
>
> On Thu, 7 Mar 2019, 4:28 pm Thomas Broyer, <t.broyer at gmail.com> wrote:
>
>> Section 3.3.2.10 requires an ID Token, "code token" cannot use these
>> steps.
>>
>> Le jeu. 7 mars 2019 13:54, Nughmman Butt via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> a écrit :
>>
>>> Hello,
>>>
>>>
>>> I am going through the following website:
>>>
>>>
>>> https://openid.net/specs/openid-connect-core-1_0.html
>>>
>>> My query relates to the Hybrid Flow Authentication.
>>>
>>> *Section 3.3.2.5 Successful Authentication Response states:*
>>>
>>>
>>> "code
>>> Authorization Code. This is always returned when using the Hybrid Flow."
>>>
>>> *section 3.3.2.8. Authentication Response Validation, clause 5 states:*
>>>
>>>
>>>
>>> "Follow the Authorization Code validation rules in Section 3.3.2.10 when
>>> the response_type value used is *code id_token* or *code id_token token*
>>> ."
>>>
>>> Shouldn't clause 5 mention all 3 hybrid flow response types i.e
>>> code id_token, code id_token token *AND CODE TOKEN*?
>>>
>>> Please advise.
>>>
>>> Rgds
>>> Nughmman
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190307/2e06370b/attachment.html>


More information about the Openid-specs-ab mailing list