[Openid-specs-ab] Hybrid Flow use cases and client confidentiality requirements

Sergey Beryozkin sberyozkin at gmail.com
Tue Mar 8 13:34:46 UTC 2016

Hi All

I'm not understanding clearly enough why OIDC hybrid flows will be used. 
I can imagine a situation where a complex 'client' which is probably a 
combination of the in-browser running implicit JavaScript client + the 
web server client this implicit client is linked is used.

But it will help myself and other implementers to understand better what 
are use cases (even a single use case) here ?

What confuses me is what are the real client confidentiality 
requirements here.

For example, a public client may be restricted to request a token via 
the implicit flow but not the code. Likewise a confidential client may 
be prevented from requesting a token via the implicit flow but only 
allowed to request a code. But with the hybrid flow - it is everything 
that one can possibly get from OAuth2 server supporting the redirection 
based flows.

Can it make sense to introduce a 'hybrid' client term ?

Thanks, Sergey

More information about the Openid-specs-ab mailing list