Hybrid App Token Flow

Hybrid App Token Flow
  • Session IDs (SID) are returned with the access token for each requested domain scope (lightning, visualforce and content) to allow the app to directly bridge a session by setting SID values in cookie(s) for the relevant domains
  • Session tokens are bound to the access token, so processes to manage renewing tokens can be aligned
  • Without this flow, bridging a web session would require a POST to the frontdoor.jsp URL with the access token, which would redirect and set a SID cookie for the requested resource. Under this approach, access tokens and web sessions can expire independently so management is a little more challenging
  • Both user agent and web server versions of the flow are possible (user agent is pictured)
  • A corresponding refresh token flow (grant_type=hybrid_refresh) is available for renewing tokens
  • Developed to support Mobile SDK 9.1, and hybrid_token grant type is now used in the core Mobile SDK project