The response_type parameter selects the OpenID Connect flow. The 7 possible values and what each triggers are documented in the OIDC flow diagrams reference.
Flows By response_type
response_type=code
- Client sends browser to /authorize?response_type=code
- User authenticates at the Identity Server
- Server redirects to redirect_uri with an authorization code in the query string
- Client backend exchanges the code at /token (grant_type=authorization_code) using client secret
- Token endpoint returns access_token (and optionally refresh_token if offline_access scope was requested)
- Client uses access_token to call protected APIs
response_type=token
- Client sends browser to /authorize?response_type=token
- User authenticates at the Identity Server
- Server redirects to redirect_uri with access_token in the URL fragment (#)
- No token endpoint call — token is returned directly from the authorization endpoint
- No refresh token issued (front channel only)
response_type=id_token
- Client sends browser to /authorize?response_type=id_token (must include scope=openid)
- User authenticates
- Server redirects with id_token in the URL fragment — contains user identity claims
- No access_token, no refresh_token — identity assertion only
response_type=id_token token
- Client sends browser to /authorize?response_type=id_token%20token
- User authenticates
- Server redirects with both id_token and access_token in the URL fragment
- No refresh token; both are delivered front-channel (implicit)
response_type=code id_token
- Hybrid flow — client requests both a code and an id_token in the same redirect
- Client receives: authorization code (front channel) + id_token (front channel)
- Client can inspect the id_token immediately to establish user context
- Client backend exchanges the code at /token for an access_token and refresh_token over the back channel
- The id_token from the token endpoint is the authoritative one; the front-channel id_token is for UX only
response_type=code token
- Hybrid flow — client requests a code and an access_token in the same redirect
- Client receives: authorization code + access_token (front channel)
- Client can call APIs immediately using the front-channel access_token
- Client backend exchanges the code at /token for a long-lived access_token and refresh_token
response_type=code id_token token
- Full hybrid flow — client requests a code, id_token, and access_token in the same redirect
- Client receives all three front-channel: code, id_token, and access_token
- Client has immediate user context (id_token) and immediate API access (access_token)
- Client backend can also exchange the code at /token for a fresh set of longer-lived tokens
Summary Table
| response_type | Channel | Access Token | ID Token | Refresh Token |
|---|---|---|---|---|
| code | Back | ✓ | — | ✓ |
| token | Front | ✓ | — | — |
| id_token | Front | — | ✓ | — |
| id_token token | Front | ✓ | ✓ | — |
| code id_token | Front + Back | ✓ | ✓ | ✓ |
| code token | Front + Back | ✓ | — | ✓ |
| code id_token token | Front + Back | ✓ | ✓ | ✓ |
