The Hybrid flow uses the Authorization Endpoint and the Token Endpoint to validate the tokens. The response type can be any combination of code id_token, code token, code id_token token. The client application can request for any combination of authorization code, ID token, and access token.
This flow can be used for the native applications, web applications or mobile applications that require to retrieve authorization code, access tokens and ID tokens based on the requirement.
For more information about using different response types such as, code and id_token in a request for the hybrid flow, see the NetIQ Access Manager 5.0 Administration API Guide.
NOTE:The authorization code can be exchanged only one time. Hence, if you use authorization code and the access token combination, the code cannot be used for exchanging the token again.
Process Flow
The client application generates an authentication request containing the desired request parameters and sends the request to the authorization server.
The authorization server authenticates the user.
The authorization server obtains the user consent.
The authorization server sends the user to the client application with an Authorization Code. Based on the response type an ID token, and an Access token is sent along with the code.
The client requests a response using the Authorization Code at the Token Endpoint.
The client receives a response containing an ID token and an access token in the response body.
The client application validates the ID token and retrieves the user’s subject identifier.