I can't quite understand the difference between response_type and grant_type in OAuth2.0/OIDC spesifications.
My guess is that grant_type is specified in the URL when interacting with a token endpoint (to get access and/or refresh tokens), and the response_type is used when interacting with the authorization end point to get the identity token and the authorization code. Is that right ?
If so, what should we use as a gant_type when using the hybrid flow?
Any help would be apreciated
response_type and grant_type two mandatory parameters established from OAuth 2.0 specification. Hence OpenID Connect is built on OAuth 2.0, these two parameters are used in OpenID Connect too.
response_type is used against authorization endpoint. This parameter define what authorization response must contain in its response. For example, code when using authorization code grant (similarly authorization code flow in OpenID Connect).
grant_type on the other hand is used against token endpoint. It define the grant used for the token request. For example, authorization_code is the grant used for authorization code grant (similarly authorization code flow in OpenID Connect).
For hybrid flow, response_type is extended to have multiple segments. This was done through OAuth 2.0 Multiple Response Type Encoding Practices. This enables you to use a response_type such as response_type=id_token%20token. And grant_type will be the same as if you used authorization code flow. It will be code. This is defined in the specification's hybrid token request
