Merge remote-tracking branch 'upstream/master' into actions

wso2 · Sep 5, 2024 · 738d8ec · 738d8ec
2 parents d256b2f + 5e5be2b
commit 738d8ec
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 10 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.0.150
+0.0.151
diff --git a/...ntity-server/7.0.0/docs/assets/img/guides/authentication/enable-hybrid-flow.png b/...ntity-server/7.0.0/docs/assets/img/guides/authentication/enable-hybrid-flow.png
diff --git a/...tity-server/7.0.0/docs/guides/authentication/oidc/implement-oidc-hybrid-flow.md b/...tity-server/7.0.0/docs/guides/authentication/oidc/implement-oidc-hybrid-flow.md
@@ -0,0 +1,2 @@
+{% set host_name = "https://localhost:9443" %}
+{% include "../../../../../../includes/guides/authentication/oidc/implement-oidc-hybrid-flow.md" %}
diff --git a/en/identity-server/7.0.0/mkdocs.yml b/en/identity-server/7.0.0/mkdocs.yml
@@ -446,6 +446,7 @@ nav:
             - Implement login using Pushed Authorization Requests: guides/authentication/oidc/implement-login-with-par.md
             - Implement login using the Device Authorization flow: guides/authentication/oidc/implement-device-flow.md
             - JWT Secured Authorization Response Mode (JARM) for OAuth 2.0: guides/authentication/oidc/jarm.md
+            - Implement login using the OIDC Hybrid Flow: guides/authentication/oidc/implement-oidc-hybrid-flow.md
             - Configure token exchange: guides/authentication/configure-token-exchange.md
             - Validate ID tokens: guides/authentication/oidc/validate-id-tokens.md
             - Request user information: guides/authentication/oidc/request-user-info.md

diff --git a/en/includes/guides/authentication/oidc/implement-oidc-hybrid-flow.md b/en/includes/guides/authentication/oidc/implement-oidc-hybrid-flow.md
@@ -8,7 +8,9 @@ You may implement the hybrid flow using {{product_name}} by following the steps
 
 - To get started, you need to have an application registered in {{ product_name }}. If you don't already have one, [register an OIDC application]({{base_path}}/guides/applications/register-oidc-web-app/#register-app).
 
-- On the application page, go to the **Protocol** tab and take note of the `Client ID` and the `Client secret` generated for the application.
+{% if product_name == "Asgardeo" %}
+
+- Go to the **Protocol** section of the created application and take note of the generated `Client ID` and the `Client secret`.
 
 ## Enable the hybrid flow
 
@@ -31,11 +33,36 @@ Follow the steps below to enable the hybrid flow for your application.
 
 5. Click **Update** to save the changes.
 
+{% else %}
+
+- Go to the **Protocol** section of the created application and do the following:
+
+    - Take note of the **Client ID** and the **Client secret** generated for the application.
+
+    - Under **Allowed grant types**, select **Code** and click **Update** to save the changes.
+
+{% endif %}
+
 ## Implement the hybrid flow
 
+{% if product_name == Asgardeo %}
 Now that you have [enabled the hybrid flow](#enable-the-hybrid-flow) for your application, let's take a look at how you may implement the hybrid flow for your application.
 
-The initial authorization request is similar to that of the [authorization code flow]({{base_path}}/guides/authentication/oidc/implement-auth-code/) with the exception of setting the `response_type` parameter to a value specific to the hybrid flow.
+{% else %}
+
+Let's take a look at how you may implement the hybrid flow for your application.
+
+{% endif %}
+
+The initial authorization request is similar to that of the [authorization code flow]({{base_path}}/guides/authentication/oidc/implement-auth-code/), with the exception of setting the `response_type` parameter to one of [code token](#code-token), [code id_token](#code-id_token), or [code id_token token](#code-id_token-token).
+
+{% if product_name == "WSO2 Identity Server" %}
+
+!!! warning
+
+    It is not recommended to use `code token` and `code id_token token` response types, as obtaining the access token directly from the authorization endpoint without client authentication introduces potential security vulnerabilities, including the risk of account takeover attacks.
+
+{% endif %}
 
 ``` bash
 {{host_name}}/oauth2/authorize?
@@ -44,10 +71,14 @@ response_type={response_type}
 &nonce={random_value_generated_by_client}
 &redirect_uri={url_to_redirect_after_login}
 ```
-Let's take a closer look at the reponse types available with the OIDC Hybrid Flow.
+The following sections explain the reponse types available with the OIDC Hybrid Flow.
 
 ### code token
 
+!!! warning
+
+    It is not recommended to use `code token` response type as it does not adhere to best practices and may introduce security risks.
+
 Hybrid flow intiated with the `code token` response type requests for an authorization code and an access token from the authorization endpoint.
 
 === "request format (`code token`)"
@@ -87,15 +118,15 @@ The token received in the response may be immediately used to invoke APIs author
 === "request format"
 
     ```bash
-    curl -k -v 'https://api.asgardeo.io/t/{organization_name}/oauth2/token' \
+    curl -k -v '{{host_name}}/oauth2/token' \
     -u '{client_ID}:{client_secret}' \
     -d 'grant_type=authorization_code&code={authorization_code}&redirect_uri={url_to_redirect_after_login}'
     ```
 
 === "sample request"
 
     ``` bash
-    curl -k -v 'https://api.asgardeo.io/t/{organization_name}/oauth2/token' \
+    curl -k -v '{{host_name}}/oauth2/token' \
     -u 'SkpwV3lG88X0BU1msAoRRA0zrWEa:0XVfmHcThOWpBN0iJf_4679Ir0Qe_fPMJCXSREW4bM4a' \
     -d 'grant_type=authorization_code&code=99b34587-5483-374d-8b25-50485498e761&redirect_uri=http://localhost:8080/playground2/oauth2client'
     ```
@@ -153,15 +184,15 @@ The authorization code can be exchanged to receive other tokens such as access t
 === "request format"
 
     ```bash
-    curl -k -v 'https://api.asgardeo.io/t/{organization_name}/oauth2/token' \
+    curl -k -v '{{host_name}}/oauth2/token' \
     -u '{client_ID}:{client_secret}' \
     -d 'grant_type=authorization_code&code={authorization_code}&redirect_uri={url_to_redirect_after_login}'
     ```
 
 === "sample request"
 
     ``` bash
-    curl -k -v 'https://api.asgardeo.io/t/{organization_name}/oauth2/token' \
+    curl -k -v '{{host_name}}/oauth2/token' \
     -u 'SkpwV3lG88X0BU1msAoRRA0zrWEa:0XVfmHcThOWpBN0iJf_4679Ir0Qe_fPMJCXSREW4bM4a' \
     -d 'grant_type=authorization_code&code=16fd899f-5f0c-3114-875e-2547b629cd05&redirect_uri=http://localhost:8080/playground2/oauth2client'
     ```
@@ -179,6 +210,11 @@ The authorization code can be exchanged to receive other tokens such as access t
 
 ### code id_token token
 
+!!! warning
+
+    It is not recommended to use `code id_token token` response type as it does not adhere to best practices and may introduce security risks.
+
+
 Hybrid flow intiated with the `code id_token token` response type requests for an authorization code, an access token and an ID token from the authorization endpoint.
 
 === "request format (`code id_token token`)"
@@ -219,15 +255,15 @@ The authorization code can be exchanged to receive other tokens such as access t
 === "request format"
 
     ```bash
-    curl -k -v 'https://api.asgardeo.io/t/{organization_name}/oauth2/token' \
+    curl -k -v '{{host_name}}/oauth2/token' \
     -u '{client_ID}:{client_secret}' \
     -d 'grant_type=authorization_code&code={authorization_code}&redirect_uri={url_to_redirect_after_login}'
     ```
 
 === "sample request"
 
     ``` bash
-    curl -k -v 'https://api.asgardeo.io/t/{organization_name}/oauth2/token' \
+    curl -k -v '{{host_name}}/oauth2/token' \
     -u 'SkpwV3lG88X0BU1msAoRRA0zrWEa:0XVfmHcThOWpBN0iJf_4679Ir0Qe_fPMJCXSREW4bM4a' \
     -d 'grant_type=authorization_code&code=55aa698d-ac3b-30ec-b4ca-f5e803590a4b&redirect_uri=http://localhost:8080/playground2/oauth2client'
     ```