I faced the same Issue, currently the work still in progress. when I finish the documentation, I might post it here. for time being: please check the draft:

Enrich IdentityServer Documentation with OIDC and OAuth2 Flows section #73

Update: OIDC and OAuth2 Flows


From leastPrivilage's first link: and Aharon Paretzki's OAuth 2 Simplified

Flows decide how the ID token (i.e. the authorization code) and the Access token (i.e. 'the token') are returned to the client:

Authorization Code Flow: OAuth 2.0 flow in which

  • an Authorization Code is returned from the Authorization Endpoint
  • and all tokens (as a second stage, in exchange for the authorization code) are returned from the Token Endpoint
  • Used for server based calls (APIs) that can maintain the confidentiality of their client secret. Allows for stronger security, as long as no-one can access the "client secret".

Implicit Flow: OAuth 2.0 flow in which

  • all tokens are returned directly from the Authorization Endpoint
  • and neither the Token Endpoint nor an Authorization Code are used.
  • Used for mobile and web based apps, that cannot maintain the confidentiality of the client secret, so there is a need to have the token issued by the auth server itself. This is less secure, and it is recommended that the server should be set to deny implicit flow calls for API usage, and allow it only for the browser based and mobile based apps.

Hybrid Flow: OAuth 2.0 flow in which

  • an Authorization Code is returned from the Authorization Endpoint,
  • some tokens are returned directly from the Authorization Endpoint, and others are returned (as a second stage, in exchange for the authorization code) from the Token Endpoint.
  • Used where both flows are needed.

see the specifications - it has been all written down already:

http://openid.net/specs/openid-connect-core-1_0.html and https://www.rfc-editor.org/rfc/rfc6749

in addition i've recently written a summary that breaks it down for different application types:

http://leastprivilege.com/2016/01/17/which-openid-connectoauth-2-o-flow-is-the-right-one/