- Session IDs (SID) are returned with the access token for each requested domain scope (lightning, visualforce and content) to allow the app to directly bridge a session by setting SID values in cookie(s) for the relevant domains
- Session tokens are bound to the access token, so processes to manage renewing tokens can be aligned
- Without this flow, bridging a web session would require a POST to the frontdoor.jsp URL with the access token, which would redirect and set a SID cookie for the requested resource. Under this approach, access tokens and web sessions can expire independently so management is a little more challenging
- Both user agent and web server versions of the flow are possible (user agent is pictured)
- A corresponding refresh token flow (
grant_type=hybrid_refresh) is available for renewing tokens - Developed to support Mobile SDK 9.1, and hybrid_token grant type is now used in the core Mobile SDK project
Documentation
This Flow in Context
