Skip to main content

Hybrid Flow

This flow is a combination of the implicit flow and authorization code flow.

It is used when the client does not want to create their own login page, but still wants refresh token ability. Raven recommends this flow because the user only has to login once and then the refresh token can be used to retrieve access tokens going forward.

  1. The flow starts by redirecting the user to the authorize endpoint user a URL.
    • The URL contains the client ID, requested scopes, and redirection URI to which the authorization web service sends the user after access is granted or denied.
    • This is in the following format:
    https://auth.agsync.com/core/connect/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_mode=form_post&response_type=code+id_token+token&scope=openid+profile+email+agsync+roles+offline_access&state=STATE&nonce=NONCE
  2. The user is prompted for his or her sign-in credentials and grants or denies the client's access request.
  3. If the user has granted access, the token server redirects the user to the client by using the redirection URI that was provided in the initial request.
    • The redirection is done via a form post to the redirection URI. The access token, identity token, scope and expiration are included in the form post.
    • For example:
    <form
    	method="post"
    	action="REDIRECT_URI"
    >
    	<input
    		type="”hidden”"
    		name="”code”"
    		value="”CODE”"
    	/>
    	<input
    		type="hidden"
    		name="id_token"
    		value="TOKEN"
    	/>
    	<input
    		type="hidden"
    		name="access_token"
    		value="TOKEN"
    	/>
    	<input
    		type="hidden"
    		name="token_type"
    		value="Bearer"
    	/>
    	<input
    		type="hidden"
    		name="expires_in"
    		value="43200"
    	/>
    	<input
    		type="hidden"
    		name="scope"
    		value="openid profile email agsync roles"
    	/>
    	<input
    		type="hidden"
    		name="state"
    		value="STATE"
    	/>
    	<input
    		type="hidden"
    		name="session_state"
    		value="SESSION_STATE"
    	/>
    </form>
    • Using the “code” in the response the client will then need to make another call to the token endpoint for a refresh token:
    POST /core/connect/token HTTP/1.1
    Host: auth.agsync.com
    Authorization: Basic [Client ID and secret base64 encoded]
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code&code=[CODE]&redirect_uri=[REDIRECT_URI]
    • The response will contain JSON with the property “refresh_token” as well as the access token, expire time and token type.