Integrate authentication using OIDC hybrid flow



  1. Setup OpenID Connect (OIDC) custom application in CyberArk Identity tenant
  2. Install the CyberArk Identity Java SDK

Hybrid flow is a combination of authorization code and implicit code. In this grant type, some tokens are returned from the Authorization Endpoint, and others are returned from the Token Endpoint.

This guide describes how hybrid flow can be integrated with CyberArk Identity using the CyberArk Identity Java SDK.

Configure an OIDC Client instance

Configure the OIDC client instance as below:

import com.cyberark.client.OIDCClient; 

// client secret parameter is not necessary for Authorization code flow with PKCE.

Build an authorize URL

The client application should send an authorization request using AuthorizeUrlBuilder to authenticate the user with the CyberArk Identity provider as shown below:

AuthorizeUrlBuilder authorizeUrlBuilder = oidcClient.authorizeUrl(YOUR_REDIRECT_URL)
    .setResponseType("code id_token token") //Ex: code is mandatory for hybrid flow
    .setScope("openid email profile")

// to get authorize URL
String authURL =;

Note: The redirectUri must be white-listed in the Authorized Redirect URIs section under the Trust section of the OpenID Connect web application.

The user will be redirected to the redirect URI and the access and ID tokens are sent as part of the redirect URI.


Based on the requested response_type, code, id_token or access_token is received in the redirect resource itself.


Supported Response types for Hybrid Flow

  • code token
  • code id_token
  • code id_token token

The short-lived tokens are useful in accessing the resources by your front-end applications to get an immediate user identity.

The long-lived tokens are used by backend applications along with refresh tokens to access the resources for a longer duration.

Exchange the code with the token

The authorization code received in the above step should be exchanged for access, ID, and optionally refresh tokens as shown below:

TokenRequest tokenRequest = oidcClient.requestToken(YOUR_CODE, YOUR_REDIRECT_URL) 

TokenHolder tokenHolder = tokenRequest.execute();