IdentityServer4 — Part 3 — Flows — Digitteck
IdentityServer4 — Part 3 — Flows
dotnet·26 September 2019·4 min read

IdentityServer4 — Part 3 — Flows

The response_type parameter selects the OpenID Connect flow. The 7 possible values and what each triggers are documented in the OIDC flow diagrams reference.

Flows By response_type

response_type=code

  1. Client sends browser to /authorize?response_type=code
  2. User authenticates at the Identity Server
  3. Server redirects to redirect_uri with an authorization code in the query string
  4. Client backend exchanges the code at /token (grant_type=authorization_code) using client secret
  5. Token endpoint returns access_token (and optionally refresh_token if offline_access scope was requested)
  6. Client uses access_token to call protected APIs

response_type=token

  1. Client sends browser to /authorize?response_type=token
  2. User authenticates at the Identity Server
  3. Server redirects to redirect_uri with access_token in the URL fragment (#)
  4. No token endpoint call — token is returned directly from the authorization endpoint
  5. No refresh token issued (front channel only)

response_type=id_token

  1. Client sends browser to /authorize?response_type=id_token (must include scope=openid)
  2. User authenticates
  3. Server redirects with id_token in the URL fragment — contains user identity claims
  4. No access_token, no refresh_token — identity assertion only

response_type=id_token token

  1. Client sends browser to /authorize?response_type=id_token%20token
  2. User authenticates
  3. Server redirects with both id_token and access_token in the URL fragment
  4. No refresh token; both are delivered front-channel (implicit)

response_type=code id_token

  1. Hybrid flow — client requests both a code and an id_token in the same redirect
  2. Client receives: authorization code (front channel) + id_token (front channel)
  3. Client can inspect the id_token immediately to establish user context
  4. Client backend exchanges the code at /token for an access_token and refresh_token over the back channel
  5. The id_token from the token endpoint is the authoritative one; the front-channel id_token is for UX only

response_type=code token

  1. Hybrid flow — client requests a code and an access_token in the same redirect
  2. Client receives: authorization code + access_token (front channel)
  3. Client can call APIs immediately using the front-channel access_token
  4. Client backend exchanges the code at /token for a long-lived access_token and refresh_token

response_type=code id_token token

  1. Full hybrid flow — client requests a code, id_token, and access_token in the same redirect
  2. Client receives all three front-channel: code, id_token, and access_token
  3. Client has immediate user context (id_token) and immediate API access (access_token)
  4. Client backend can also exchange the code at /token for a fresh set of longer-lived tokens

Summary Table

response_typeChannelAccess TokenID TokenRefresh Token
codeBack
tokenFront
id_tokenFront
id_token tokenFront
code id_tokenFront + Back
code tokenFront + Back
code id_token tokenFront + Back

Tags

.NETIdentityServer4OAuth2OpenID Connect
digitteck

© 2026 Digitteck