Legacy Flows (Implicit and Hybrid)
OIDC Web also accepts the OAuth 2.0 implicit and OpenID Connect hybrid response types, for backward compatibility with older relying-party software. Both return tokens directly on the browser redirect.
These flows place tokens in the redirect URL (query or fragment). Browser history, referrer headers, and logs can all expose them there. Modern OAuth guidance (the OAuth 2.0 Security BCP) deprecates both flows in favor of the Authorization Code flow with PKCE. The legacy flows are documented here only so that existing integrations are not surprised by their availability.
Not recommended. New integrations should use the Authorization Code flow, ideally with signed requests.