Integrate authentication using OIDC hybrid flow
PREREQUISITE
- Setup OpenID Connect (OIDC) custom application in CyberArk Identity tenant
- Install the CyberArk Identity Java SDK
Hybrid flow is a combination of authorization code and implicit code. In this grant type, some tokens are returned from the Authorization Endpoint, and others are returned from the Token Endpoint.
This guide describes how hybrid flow can be integrated with CyberArk Identity using the CyberArk Identity Java SDK.
Configure an OIDC Client instance
Configure the OIDC client instance as below:
import com.cyberark.client.OIDCClient;
// client secret parameter is not necessary for Authorization code flow with PKCE.
OIDCClient oidcClient = new OIDCClient(YOUR_TENANT_URL, YOUR_OIDC_APPLICATION_ID, YOUR_CLIENT_ID);
Build an authorize URL
The client application should send an authorization request using AuthorizeUrlBuilder
to authenticate the user with the CyberArk Identity provider as shown below:
AuthorizeUrlBuilder authorizeUrlBuilder = oidcClient.authorizeUrl(YOUR_REDIRECT_URL)
.setResponseType("code id_token token") //Ex: code is mandatory for hybrid flow
.setScope("openid email profile")
.setCodeChallenge(codeChallenge)
.setCodeChallengeMethod("S256");
// to get authorize URL
String authURL = authorizeUrlBuilder.build();
Note: The redirectUri
must be white-listed in the Authorized Redirect URIs section under the Trust section of the OpenID Connect web application.
The user will be redirected to the redirect URI and the access and ID tokens are sent as part of the redirect URI.
https://YOUR_REDIRECT_URI#responseType=code,%20token,%20id_token&code=YOUR_CODE&access_token=YOUR_ACCESS_TOKEN&token_type=Bearer&expires_in=18000&id_token=YOUR_ID_TOKEN&scope=openid%20email%20profile
Based on the requested response_type
, code
, id_token
or access_token
is received in the redirect resource itself.
Supported Response types for Hybrid Flow
- code token
- code id_token
- code id_token token
The short-lived tokens are useful in accessing the resources by your front-end applications to get an immediate user identity.
The long-lived tokens are used by backend applications along with refresh tokens to access the resources for a longer duration.
Exchange the code with the token
The authorization code received in the above step should be exchanged for access, ID, and optionally refresh tokens as shown below:
TokenRequest tokenRequest = oidcClient.requestToken(YOUR_CODE, YOUR_REDIRECT_URL)
.setGrantType("authorization_code")
TokenHolder tokenHolder = tokenRequest.execute();
Updated about 1 year ago