I can't quite understand the difference between response_type and grant_type in OAuth2.0/OIDC specifications.
My guess is that grant_type is specified in the URL when interacting with a token endpoint (to get access and/or refresh tokens), and the response_type is used when interacting with the authorization end point to get the identity token and the authorization code. Is that right ?
If so, what should we use as a grant_type when using the hybrid flow?
response_type and grant_type are two mandatory parameters established in the OAuth 2.0 specification. OpenID Connect is built on OAuth 2.0, these two parameters are used in OpenID Connect too.
response_type is used against authorization endpoint. This parameter defines what authorization response must contain in its response. For example, code when using authorization code grant (similarly authorization code flow in OpenID Connect).
grant_type on the other hand is used against the token endpoint. It defines the grant used for the token request. For example, authorization_code is the grant used for the authorization code grant (similarly authorization code flow in OpenID Connect).
For hybrid flow, response_type is extended to have multiple segments. This was done through OAuth 2.0 Multiple Response Type Encoding Practices. This enables you to use a response_type such as response_type=id_token%20token. And grant_type will be the same as if you used authorization code flow. It will be code. This is defined in the specification's hybrid token request