OpenIDConnect Response Type Confusion

The following statements that you made are correct:

• code refers to the Authorization Code
• token refers to an Access Token or (access_token)
• in the Authorization Code flow one switches the code for an access_token

But part of your confusion may originate from terminology mixup:

• the term Authorization flow is not entirely correct; its official name is Authorization Code flow
• the term Access Code does not exist
• the Implicit flow does not have an Authorization Code (nor Access code) in fact there's no credential (or grant) involved at all that allows the Client to get tokens from the Token endpoint, hence it's name

As @juanifioren pointed out, Hybrid flows combine things:

• the code id_token flow would get a code and id_token in the Authentication Response directly but you'd use the code to get an access_token from the Token endpoint
• the code token flow would get a code and access_token in the Authentication Response directly but you'd use the code to get an id_token and possibly another access_token in the backend from the Token endpoint
• the code id_token token flow would get a code, access_token and an id_token in the Authentication Response directly and you could use the code in the backend to get another access_token from the Token endpoint

Getting an access_token from the Token endpoint differs from getting it from the Authorization endpoint because the confidential clients authenticate themselves to the Token endpoint (and not to the Authorization endpoint). Hence the access_token for the confidential part of the client might have more permissions and or a longer life.

See also a short thread on the spec mailing list on this topic: http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20150209/005229.html

To understand the possible relationships between Response Types and Grant Types see IdentityServer4\Constants.cs

public static readonly Dictionary<string, string> ResponseTypeToGrantTypeMapping = new Dictionary<string, string>        {            { OidcConstants.ResponseTypes.Code, GrantType.AuthorizationCode },            { OidcConstants.ResponseTypes.Token, GrantType.Implicit },            { OidcConstants.ResponseTypes.IdToken, GrantType.Implicit },            { OidcConstants.ResponseTypes.IdTokenToken, GrantType.Implicit },            { OidcConstants.ResponseTypes.CodeIdToken, GrantType.Hybrid },            { OidcConstants.ResponseTypes.CodeToken, GrantType.Hybrid },            { OidcConstants.ResponseTypes.CodeIdTokenToken, GrantType.Hybrid }        };

Your thoughts about Authorization Code Flow and Implicit Flow are right.But I think you are over-complicating the hybrid flow. When using hybrid you just simply can get both code and id_token.

After that, either you can grab code and exchange it for access token or just use the id_token (or access token) directly. Both approaches have their own flaws, especially in terms of security.