OpenID Connect presents three flows for authentication. These flows dictate how authentication is handled by the OpenID Connect Provider, including what can be sent to client application and how.
Authorization Code Flow
The authorization code flow returns an authorization code (like it says on the tin) that can then be exchanged for an identity token and/or access token. This requires client authentication using a client id and secret to retrieve the tokens from the back end and has the benefit of not exposing tokens to the user agent (i.e. a web browser). This flow allows for long lived access (through the use of refresh tokens). Clients using this flow must be able to maintain a secret.
This flow obtains the authorization code from the authorization endpoint and all tokens are returned from the token endpoint.
The implicit flow requests tokens without explicit client authentication, instead using the redirect URI to verify the client identity. Because of this, refresh tokens are not allowed, nor is this flow suitable for long lived access tokens. From the client application's point of view, this is the simplest to implement, as there is only one round trip to the OpenID Connect Provider.
This flow obtains all tokens from the authorization endpoint.
The hybrid flow is a combination of aspects from the previous two. This flow allows the client to make immediate use of an identity token and optionally retrieve an authorization code via one round trip to the authentication server. This can be used for long lived access (again, through the use of refresh tokens). Clients using this flow must be able to maintain a secret.
This flow can obtain an authorization code and tokens from the authorization endpoint, and can also request tokens from the token endpoint.
|All tokens returned from authorization endpoint|
|All tokens returned from token endpoint|
|Tokens sent via user agent|
|Client can be authenticated (e.g. using client secret)|
|Can use refresh tokens|
|Communication in one round trip|
|Most communication server-to-server|
Response Types by Flow
Tables adapted from OpenID Connect 1.0 Core Specification.