OIDC Flows

Establishing the Path of Trust

OIDC Flows (also known as Grant Types) are the specific sequences of interactions that allow an application to securely obtain a user’s identity. Built upon the standard OAuth 2.0 handshake, these flows are optimized for different application architectures—balancing the need for high security with the constraints of the client environment (such as a browser-side application versus a secure backend server). Choosing the correct flow is the most critical architectural decision in OIDC, as it determines how sensitive artifacts like the ID Token are delivered and how the user’s session is established across the organizational perimeter.

Core Mission

Sovereign Identity Exchange. Defining the secure protocols used to transport user assertions from the Identity Provider to the Service Provider, ensuring integrity and non-repudiation.

Like the Highway to Identity: Imagine an IdP is a city where every citizen has a passport. There are different ways to get that passport to a travel agent (The Application). You can drive it yourself (Front-Channel), send it through a secure courier (Back-Channel), or use a combination of both. The "Flow" is the specific route and vehicle used to Move the identity data safely from Point A to Point B.

Responsive Web / Mobile Apps / Single-Page Apps (SPA)

The OIDC Flow Strategy Matrix

Selecting the right flow requires matching your technical architecture to the security capabilities of the client.

Strategic Selection Grid

Flow	Client Type	Artifacts Received	Security Status
Auth Code	Server-side Backend.	`code` → `id_token` + `access_token`.	Recommended (Gold Standard).
Code + PKCE	SPAs & Mobile Apps.	`code` → `id_token` + `access_token`.	Mandatory for Public Clients.
Hybrid	High-security Web.	`id_token` + `code` (Front-Channel).	Recommended for specific IDs.
Implicit	Legacy SPAs.	`id_token` + `access_token` (Front-Channel).	Deprecated.

The Handshake Lifecycle

Every OIDC flow follows a predictable sequence of events to ensure the final identity assertion is valid and fresh.

graph LR
    Select[Select response_type] --> Request[Authorize Request]
    Request --> Consent[User Consent]
    Consent --> Exchange[Token Exchange]
    Exchange --> Validate[Signature Verification]
    Validate --> Session[Establish Session]

Initiate with Intent

The application defines its security intent via the `response_type` parameter (e.g., `code`). It also sends a `nonce` and a `state` to ensure the final ID token is fresh and bound to the specific request.

Exchange & Assert

In the standard flow, the client receives a temporary code and swaps it via a secure back-channel for the final identity artifacts. This ensures the full ID Token is never exposed in the browser's address bar or local logs.

Verify & Establish

The application cryptographically validates the ID Token's signature, issuer (`iss`), and audience (`aud`). Once the identity is confirmed, the app maps the identity to a local user and creates an authenticated session.

Technical Flow Implementation

Implementing OIDC requires managing the precise parameters of the authorization request.

Authorization Request (URL Example)

https://auth.example.com/authorize?
    response_type=code&
    client_id=client_abc_123&
    redirect_uri=https://app.example.com/callback&
    scope=openid%20profile%20email&
    state=xyz789&
    nonce=nonce123

OIDC Implementation Guides

Master the technical details of the various OIDC authentication patterns.

Next Steps

Explore PKCE for OIDC to secure mobile and SPA authentication.
Review Response Modes (form_post, fragment) for optimizing artifact delivery.
Check OpenID Connect Core Specification for the technical protocol details.