OpenID Hybrid

class oauthlib.openid.connect.core.grant_types.HybridGrant(request_validator=None, **kwargs)[source]
add_id_token(token, token_handler, request)[source]

Construct an initial version of id_token, and let the request_validator sign or encrypt it.

The initial version can contain the fields below, accordingly to the spec: - aud - iat - nonce - at_hash - c_hash

id_token_hash(value, hashfunc=<built-in function openssl_sha256>)

Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token’s JOSE Header.

For instance, if the alg is RS256, hash the access_token value with SHA-256, then take the left-most 128 bits and base64url-encode them. For instance, if the alg is HS512, hash the code value with SHA-512, then take the left-most 256 bits and base64url-encode them. The c_hash value is a case-sensitive string.

Example of hash from OIDC specification (bound to a JWS using RS256):

code: Qcb0Orv1zh30vL1MPRsbm-diHiMwcLyZvn1arpZv-Jxf_11jnpEX3Tgfvk

c_hash: LDktKdoQak3Pk0cnXxCltA


Additional validation when following the Authorization Code flow.


Validates the OpenID Connect authorization request parameters.

Returns:(list of scopes, dict of request info)