<div dir="ltr">[back to list]<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 7, 2019 at 2:53 PM Nughmman Butt <<a href="mailto:nughmman.butt@gmail.com">nughmman.butt@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">With the hybrid scheme my current understanding is that an authorization code is returned when the response_type is code token.<div dir="auto"><br></div><div dir="auto">If this is the case what steps are followed by the client to validate the authorization code?</div></div></blockquote><div><br></div><div>Section 3.3.2.10 is only checking the authorization code against the ID Token returned by the Authorization Endpoint, but with "code token", you don't have an ID Token (btw, step 4 of 3.3.2.8 should only list "code id_token token", not "code token", for this reason).</div><div>With "code token", you'd "validate" de authorization code the same way as with the Authorization Code flow: by sending it to the Token Endpoint. You'll then have an ID Token in the response, in which there might be a c_hash to validate the authorization code against, and/or an at_hash for the access token; this is covered in section 3.3.3.6.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div dir="auto">Rgds</div></div><div dir="auto"><div dir="auto">Nughmman </div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 7 Mar 2019, 4:28 pm Thomas Broyer, <<a href="mailto:t.broyer@gmail.com" target="_blank">t.broyer@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Section 3.3.2.10 requires an ID Token, "code token" cannot use these steps.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le jeu. 7 mars 2019 13:54, Nughmman Butt via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" rel="noreferrer" target="_blank">openid-specs-ab@lists.openid.net</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51);background:rgb(240,240,240)">Hello,</span></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
<span style="background:rgb(240,240,240)">I am going through the following website:</span></span></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
</span><a href="https://openid.net/specs/openid-connect-core-1_0.html" style="color:rgb(5,99,193)" rel="noreferrer noreferrer" target="_blank"><span style="font-family:Helvetica,sans-serif;color:rgb(17,85,204);background:rgb(240,240,240)">https://openid.net/specs/openid-connect-core-1_0.html</span></a><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
<br>
<span style="background:rgb(240,240,240)">My query relates to the Hybrid Flow
Authentication.</span><br>
<br>
<b><span style="background:rgb(240,240,240)">Section 3.3.2.5 Successful Authentication
Response states:</span></b><span style="background:rgb(240,240,240)"></span></span></p>

<p class="MsoNormal" style="margin:0cm 0cm 12pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
<span style="background:rgb(240,240,240)">"code</span><br>
<span style="background:rgb(240,240,240)">Authorization Code. This is always returned
when using the Hybrid Flow."</span><br>
<br>
<span style="background:rgb(240,240,240)"></span></span></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51);background:rgb(240,240,240)">section 3.3.2.8. Authentication Response
Validation, clause 5 states:</span></b></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51);background:rgb(240,240,240)"> </span></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51);background:rgb(240,240,240)">"Follow the Authorization Code validation rules in
Section 3.3.2.10 when the response_type value used is <b>code id_token</b> or <b>code
id_token token</b>."</span><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
<br>
<span style="background:rgb(240,240,240)">Shouldn't clause 5 mention all 3 hybrid flow
response types i.e</span><br>
<span style="background:rgb(240,240,240)">code id_token, code id_token token <b>AND CODE
TOKEN</b>?</span><br>
<br>
<span style="background:rgb(240,240,240)">Please advise.</span><br>
<br>
<span style="background:rgb(240,240,240)">Rgds</span><br>
<span style="background:rgb(240,240,240)">Nughmman</span></span></p></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" rel="noreferrer noreferrer" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
</blockquote></div>
</blockquote></div></div>