In OpenID Connect, what's the purpose of "code id_token" hybrid workflow when "code" flow does the same thing more securely?

Question

While taking an ASP.NET identity security course with OpenID Connect/OAuth2, I learned about the differences and pro/cons of different workflows.

Specifically, I'm confused about the purpose of the code id_token hybrid workflow, which is just like the authorization code workflow, except that it also returns a (simplified) id_token from the front channel.

So my first question is, if later on the full id token and access token are to be retrieved again via the back channel anyway, what is the purpose of having a watered-down id_token returned by the first (less secure) request in the first place?

Another thing is about security: course instructor mentioned that hybrid workflow with code id_token is considered secure even without PKCE protection for two reasons:

1. The initial id_token contains a c_hash value that ties it to the authorization code, protecting it against authorization code leak/replay attack

My question: Since this initial id_token is returned along side authorization code in the exact same manner, if authorization code is compromised, shouldn't we assume that the id_token is also compromised, making this protection ineffective?

2. The nonce string ensures one-time use of the authorization code

My question: Since nonce is included as plain text in URL, if the attacker manages to post the redirection response to the client before the legit user does, along with the authorization code, the attack will be successful, right?

Given these, is it correct to say authorization code workflow with PKCE protection (plus nonce) is more secure than the code id_token hybrid workflow without PKCE?

Thanks.

Answer 1

The main use case for Hybrid Flow is for web clients that require different tokens for front end and back end:

• Web front end receives the ID token and can read its claims
• Only the web back end receives access + refresh tokens, then issues an auth cookie to the web front end

HYBRID FLOW CHARACTERISTICS

Redirect with a response type of code id_token and receive an ID token back in a query string, along with the authorization code. To prevent substitution attacks you supply a nonce value during the redirect and then verify that the same value exists in the response as an ID token claim.

SECURITY

In terms of security it is used in conjunction with PKCE. If used with care, the security is properly thought out and included in the OpenID Connect Specification. It requires more conplex code in clients though.

Also, if personal data such as names and emails are included in ID tokens, it is revealed to the browser history and server logs. This is something to look out for in ID tokens generally. It is usually better to get such fields from the User Info endpoint instead.

FINANCIAL GRADE RECOMMENDATIONS

These days, receiving all tokens on the back channel, using response_type=code, is usually recommended. This is reflected in FAPI 2.0 which now mandates no ID token on the front channel.