The “Hybrid flow” OpenID Authentication strategy is a variation of the “Implicit grant” flow, but where the Identity owner can have access to a combination of the ID token, access token and/or authorization code through the fragment of the Authorize response redirection flow.
plugin :rodauth do
enable :oidc, :oauth_implicit_grant
end
Afterwards, you’ll just need to set the response_type query param in the authorize URL to one of the following:
code+tokencode+id_tokenid_token+tokencode+id_token+tokenIdentity providers who want to implement the Hybrid flow and are ok with the security implications.
Because this is a variation of the Implicit grant flow, it is therefore as vulnerable as it. It is, for this reason, turned off by default.