Authorization flows are the result of two parameters operating at two different endpoints:response_type at the authorization endpoint and grant_type at the token endpoint. Understanding the distinction between them is key to reasoning about which flow is executing.
response_type
Sent to the authorization endpoint. Tells the server which grant flow the client wants and what it expects in return:
code— Authorization Code flow; server returns an authorization codetoken— Implicit flow; server returns an access token directlyid_token token— adds OpenID user identity; must includeopenidscope
javascript
// Authorization endpoint — client specifies response_type to determine the flow
// response_type=code → Authorization Code flow; server returns an authorization code
GET /connect/authorize
?response_type=code
&client_id=my_client
&redirect_uri=https://myapp.com/callback
&scope=openid profile api1
&state=abc123grant_type
Sent to the token endpoint. Tells the server what the client is exchanging for an access token:
authorization_code— exchange the code received from the authorization endpointrefresh_token— exchange a refresh token for a new access tokenclient_credentials— machine-to-machine; exchange client secret for access token
javascript
// Token endpoint — client exchanges the authorization code for an access token
// grant_type=authorization_code → exchange code for token
POST /connect/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https://myapp.com/callback
&client_id=my_client
&client_secret=my_secret
// grant_type=refresh_token → exchange refresh token for a new access token
POST /connect/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
&client_id=my_client
&client_secret=my_secret
// grant_type=client_credentials → machine-to-machine; no user context
POST /connect/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=my_client
&client_secret=my_secret
&scope=api1Flow ↔ response_type Mapping
| Flow | response_type |
|---|---|
| AuthorizationCode | code |
| Implicit | token |
| Implicit | id_token |
| Hybrid | id_token token |
| Hybrid | code id_token |
| Hybrid | code token |
| Hybrid | code id_token token |
GrantTypes in IdentityServer4
IdentityServer4 defines 6 grant types in its source and exposes them through the GrantTypes static class. A client's AllowedGrantTypes determines which flows it can participate in:
csharp
// IdentityServer4 — GrantTypes.Code maps to authorization_code + optional refresh_token
new Client
{
ClientId = "my_client",
ClientSecrets = { new Secret("my_secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Code, // authorization_code
// GrantTypes.ClientCredentials // client_credentials
// GrantTypes.Implicit // implicit (front-channel only)
// GrantTypes.ResourceOwnerPassword // resource owner password
// GrantTypes.Hybrid // code + id_token combinations
// GrantTypes.DeviceFlow // device authorization
RedirectUris = { "https://myapp.com/callback" },
AllowOfflineAccess = true, // enables refresh_token grant
AllowedScopes = { "openid", "profile", "api1" },
};