Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs-staging.auth0-mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Applications that are able to securely store Client Credentials may benefit from the use of the Hybrid Flow (defined in the OpenID Connect specification, section 3.3). The Hybrid flow allows your application to have immediate access to an while ensuring secure and safe retrieval of and . This can be useful in situations where your application needs to immediately access information about the user, but must perform some processing before gaining access to protected resources for an extended period of time.

ā€‹
How it works

The Hybrid Flow combines steps from the Implicit Flow with Form Post and Authorization Code Flow:
  1. User selects Login within application.
  2. Application redirects user to Auth0 Authorization Server (/authorize endpoint), passing along response_type parameter indicating type of requested credential (ID token and authorization code), and response_mode parameter of form_post to ensure security.
  3. Auth0 Authorization Server redirects user to login and authorization prompt.
  4. User authenticates using one of the configured login options, and may see a consent prompt listing the permissions Auth0 will give to the application.
  5. Auth0 Authorization Server redirects user back to application with single-use authorizationĀ code, and ID token, access token, or both, depending on provided response_type.
  6. Application sendsĀ authorization code, applicationā€™s client ID, and applicationā€™s credentials, such as Client Secret or Private Key JWT, to Auth0 Authorization Server (/oauth/token endpoint).
  7. Auth0 Authorization Server verifies authorization code, applicationā€™s client ID, and applicationā€™s credentials.
  8. Auth0 Authorization Server responds with second ID token and access token (and optionally, a refresh token).
  9. Application can use second access token to call an API to access information about user.
  10. API responds with requested data.
If your application only needs to use Hybrid Flow for sign-on, you will not need a Refresh Token or an Access Token, only an ID Token with claims.

ā€‹
How to implement it

You can follow our tutorial to use the Authentication API to Call Your API Using the Hybrid Flow.

ā€‹
Learn more