[Openid-specs-ab] OpenID query - Hybrid Flow Authentication
t.broyer at gmail.com
Thu Mar 7 14:10:45 UTC 2019
[back to list]
On Thu, Mar 7, 2019 at 2:53 PM Nughmman Butt <nughmman.butt at gmail.com>
> With the hybrid scheme my current understanding is that an authorization
> code is returned when the response_type is code token.
> If this is the case what steps are followed by the client to validate the
> authorization code?
Section 188.8.131.52 is only checking the authorization code against the ID
Token returned by the Authorization Endpoint, but with "code token", you
don't have an ID Token (btw, step 4 of 184.108.40.206 should only list "code
id_token token", not "code token", for this reason).
With "code token", you'd "validate" de authorization code the same way as
with the Authorization Code flow: by sending it to the Token Endpoint.
You'll then have an ID Token in the response, in which there might be a
c_hash to validate the authorization code against, and/or an at_hash for
the access token; this is covered in section 220.127.116.11.
> On Thu, 7 Mar 2019, 4:28 pm Thomas Broyer, <t.broyer at gmail.com> wrote:
>> Section 18.104.22.168 requires an ID Token, "code token" cannot use these
>> Le jeu. 7 mars 2019 13:54, Nughmman Butt via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> a écrit :
>>> I am going through the following website:
>>> My query relates to the Hybrid Flow Authentication.
>>> *Section 22.214.171.124 Successful Authentication Response states:*
>>> Authorization Code. This is always returned when using the Hybrid Flow."
>>> *section 126.96.36.199. Authentication Response Validation, clause 5 states:*
>>> "Follow the Authorization Code validation rules in Section 188.8.131.52 when
>>> the response_type value used is *code id_token* or *code id_token token*
>>> Shouldn't clause 5 mention all 3 hybrid flow response types i.e
>>> code id_token, code id_token token *AND CODE TOKEN*?
>>> Please advise.
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab