--- title: Authorize (hybrid POST) description: The authorization endpoint can be used to initiate a hybrid flow authorization request, in which an authorization code is returned from the authorization endpoint, some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. In a hybrid flow, the authorization endpoint's response_type property specifies the code type and it also specifies id_token, or token, or both. An authorization code (specified by the code response type) is always returned in a hybrid flow. An ID token is returned when the response_type property is code id_token or code id_token token. An access token is returned when the response_type property is code token or code id_token token. component: pingone-api page_id: pingone-api:auth:openid-connect-oauth-2/authorize-hybrid-1 canonical_url: https://developer.pingidentity.com/pingone-api/auth/openid-connect-oauth-2/authorize-hybrid-1.html section_ids: prerequisites: Prerequisites headers: Headers body: Body example-request: Example Request example-response: Example Response --- # Authorize (hybrid POST) ## ```none POST {{authPath}}/{{envID}}/as/authorize ``` The authorization endpoint can be used to initiate a hybrid flow authorization request, in which an authorization code is returned from the authorization endpoint, some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. In a hybrid flow, the authorization endpoint's `response_type` property specifies the `code` type and it also specifies `id_token`, or `token`, or both. An authorization code (specified by the `code` response type) is always returned in a hybrid flow. An ID token is returned when the `response_type` property is `code id_token` or `code id_token token`. An access token is returned when the `response_type` property is `code token` or `code id_token token`. Note that for the `POST` request, parameters and their values are Form Serialized by adding the parameter names and values to the entity body of the HTTP request and specifying the `Content-Type: application/x-www-form-urlencoded` request header. For a Proof Key for Code Exchange (PKCE) authorization request, the `/{{envID}}/as/authorize` request must include the `code_challenge` parameter. The `code_challenge_method` parameter is required if the application's `pkceEnforcement` property is set to `S256_REQUIRED`. Otherwise, it is optional. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The optional `request` property specifies a JWT that enables OIDC/OAuth2 request parameters to be passed as a single, self-contained parameter. For details on how to construct the JWT, refer to [Create a request property JWT](../auth-config-options/create-a-request-property-jwt.html). For information on `pi.template` refer to [Notifications Templates](../../platform/notifications/notifications-templates.html). For information on `pi.clientContext` refer to [Device Authentication](../../mfa/mfa-authentication/mfa-device-authentications.html). | The sample shows the `POST /{{envID}}/as/authorize` operation for a hybrid flow. For more information about hybrid flows, refer to [Authentication using the Hybrid Flow](https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth). ### Prerequisites * Refer to [OpenID Connect/OAuth 2](../openid-connect-oauth-2.html) for important overview information. * Create an application to get an `appID`. Refer to [Application Operations](../../platform/applications/applications-1.html). Run [Read All Applications](../../platform/applications/applications-1/read-all-applications.html) to find an existing application. * Run [Read All Templates](../../platform/notifications/notifications-templates/read-all-templates.html) to find a `templateName`. * Run [Read All Contents](../../platform/notifications/notifications-templates/read-all-contents.html) to find a `variantName`. > **Collapse: Request Model** > > | Property | Type | Required? | > | ----------------------- | ------ | --------- | > | `acr_values` | String | Optional | > | `client_id` | String | Required | > | `code_challenge_method` | String | Optional | > | `login_hint` | String | Optional | > | `login_hint_token` | String | Optional | > | `mobilePayload` | String | Optional | > | `max_age` | String | Optional | > | `nonce` | String | Optional | > | `prompt` | String | Optional | > | `redirect_uri` | String | Required | > | `request` | String | Optional | > | `response_mode` | String | Optional | > | `response_type` | String | Required | > | `scope` | String | Optional | > | `state` | String | Optional | > > Refer to the [OpenID Connect/OAuth2 data model](../openid-connect-oauth-2.html) for full property descriptions. > **Collapse: Related topics** > > * [Authorization flow by grant type](../../foundations/authentication-concepts/authorization-flow-by-grant-type.html) ### Headers Content-Type      application/x-www-form-urlencoded ### Body urlencoded ( application/x-www-form-urlencoded ) | Key | Value | | -------------- | -------------------- | | response\_type | code id\_token | | client\_id | {{appID}} | | redirect\_uri | {{redirect\_uri}} | | scope | openid profile email | | state | {{state}} | ## ### Example Request * cURL * C# * Go * HTTP * Java * jQuery * NodeJS * Python * PHP * Ruby * Swift ```shell curl --location --globoff '{{authPath}}/{{envID}}/as/authorize' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'response_type=code id_token' \ --data-urlencode 'client_id={{appID}}' \ --data-urlencode 'redirect_uri={{redirect_uri}}' \ --data-urlencode 'scope=openid profile email' \ --data-urlencode 'state={{state}}' ``` ```csharp var options = new RestClientOptions("{{authPath}}/{{envID}}/as/authorize") { MaxTimeout = -1, }; var client = new RestClient(options); var request = new RestRequest("", Method.Post); request.AddHeader("Content-Type", "application/x-www-form-urlencoded"); request.AddParameter("response_type", "code id_token"); request.AddParameter("client_id", "{{appID}}"); request.AddParameter("redirect_uri", "{{redirect_uri}}"); request.AddParameter("scope", "openid profile email"); request.AddParameter("state", "{{state}}"); RestResponse response = await client.ExecuteAsync(request); Console.WriteLine(response.Content); ``` ```golang package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "{{authPath}}/{{envID}}/as/authorize" method := "POST" payload := strings.NewReader("response_type=code%20id_token&client_id=%7B%7BappID%7D%7D&redirect_uri=%7B%7Bredirect_uri%7D%7D&scope=openid%20profile%20email&state=%7B%7Bstate%7D%7D") client := &http.Client { } req, err := http.NewRequest(method, url, payload) if err != nil { fmt.Println(err) return } req.Header.Add("Content-Type", "application/x-www-form-urlencoded") res, err := client.Do(req) if err != nil { fmt.Println(err) return } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { fmt.Println(err) return } fmt.Println(string(body)) } ``` ```http POST /{{envID}}/as/authorize HTTP/1.1 Host: {{authPath}} Content-Type: application/x-www-form-urlencoded response_type=code%20id_token&client_id=%7B%7BappID%7D%7D&redirect_uri=%7B%7Bredirect_uri%7D%7D&scope=openid%20profile%20email&state=%7B%7Bstate%7D%7D ``` ```java OkHttpClient client = new OkHttpClient().newBuilder() .build(); MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded"); RequestBody body = RequestBody.create(mediaType, "response_type=code id_token&client_id={{appID}}&redirect_uri={{redirect_uri}}&scope=openid profile email&state={{state}}"); Request request = new Request.Builder() .url("{{authPath}}/{{envID}}/as/authorize") .method("POST", body) .addHeader("Content-Type", "application/x-www-form-urlencoded") .build(); Response response = client.newCall(request).execute(); ``` ```javascript var settings = { "url": "{{authPath}}/{{envID}}/as/authorize", "method": "POST", "timeout": 0, "headers": { "Content-Type": "application/x-www-form-urlencoded" }, "data": { "response_type": "code id_token", "client_id": "{{appID}}", "redirect_uri": "{{redirect_uri}}", "scope": "openid profile email", "state": "{{state}}" } }; $.ajax(settings).done(function (response) { console.log(response); }); ``` ```javascript var request = require('request'); var options = { 'method': 'POST', 'url': '{{authPath}}/{{envID}}/as/authorize', 'headers': { 'Content-Type': 'application/x-www-form-urlencoded' }, form: { 'response_type': 'code id_token', 'client_id': '{{appID}}', 'redirect_uri': '{{redirect_uri}}', 'scope': 'openid profile email', 'state': '{{state}}' } }; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); }); ``` ```python import requests url = "{{authPath}}/{{envID}}/as/authorize" payload = 'response_type=code%20id_token&client_id=%7B%7BappID%7D%7D&redirect_uri=%7B%7Bredirect_uri%7D%7D&scope=openid%20profile%20email&state=%7B%7Bstate%7D%7D' headers = { 'Content-Type': 'application/x-www-form-urlencoded' } response = requests.request("POST", url, headers=headers, data=payload) print(response.text) ``` ```php setUrl('{{authPath}}/{{envID}}/as/authorize'); $request->setMethod(HTTP_Request2::METHOD_POST); $request->setConfig(array( 'follow_redirects' => TRUE )); $request->setHeader(array( 'Content-Type' => 'application/x-www-form-urlencoded' )); $request->addPostParameter(array( 'response_type' => 'code id_token', 'client_id' => '{{appID}}', 'redirect_uri' => '{{redirect_uri}}', 'scope' => 'openid profile email', 'state' => '{{state}}' )); try { $response = $request->send(); if ($response->getStatus() == 200) { echo $response->getBody(); } else { echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' . $response->getReasonPhrase(); } } catch(HTTP_Request2_Exception $e) { echo 'Error: ' . $e->getMessage(); } ``` ```ruby require "uri" require "net/http" url = URI("{{authPath}}/{{envID}}/as/authorize") http = Net::HTTP.new(url.host, url.port); request = Net::HTTP::Post.new(url) request["Content-Type"] = "application/x-www-form-urlencoded" request.body = "response_type=code%20id_token&client_id=%7B%7BappID%7D%7D&redirect_uri=%7B%7Bredirect_uri%7D%7D&scope=openid%20profile%20email&state=%7B%7Bstate%7D%7D" response = http.request(request) puts response.read_body ``` ```swift let parameters = "response_type=code%20id_token&client_id=%7B%7BappID%7D%7D&redirect_uri=%7B%7Bredirect_uri%7D%7D&scope=openid%20profile%20email&state=%7B%7Bstate%7D%7D" let postData = parameters.data(using: .utf8) var request = URLRequest(url: URL(string: "{{authPath}}/{{envID}}/as/authorize")!,timeoutInterval: Double.infinity) request.addValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type") request.httpMethod = "POST" request.httpBody = postData let task = URLSession.shared.dataTask(with: request) { data, response, error in guard let data = data else { print(String(describing: error)) return } print(String(data: data, encoding: .utf8)!) } task.resume() ``` ### Example Response 302 Found