OBP-OIDC must support the code id_token hybrid response type. This means

the authorization endpoint should return both an authorization code and
a signed ID token (containing c_hash, s_hash, and at_hash claims)
directly in the redirect, as required by UK Open Banking and
Berlin Group security profiles.

Author: simonredfern

src/main/scala/com/tesobe/oidc/endpoints/AuthEndpoint.scala

@@ -25,6 +25,7 @@ import com.tesobe.oidc.endpoints.HtmlUtils.htmlEncode
 import com.tesobe.oidc.models.{OidcError, User}
 import com.tesobe.oidc.ratelimit.RateLimitService
 import com.tesobe.oidc.config.OidcConfig
+import com.tesobe.oidc.tokens.JwtService
 import org.http4s._
 import org.http4s.dsl.io._
 import org.http4s.headers.Location
@@ -36,7 +37,8 @@ class AuthEndpoint(
     codeService: CodeService[IO],
     statsService: StatsService[IO],
     rateLimitService: RateLimitService[IO],
-    config: OidcConfig
+    config: OidcConfig,
+    jwtService: JwtService[IO]
 ) {
 
   private val logger = LoggerFactory.getLogger(getClass)
@@ -109,12 +111,12 @@ class AuthEndpoint(
         )
       ) *>
       // Validate request parameters
-      (if (responseType != "code") {
+      (if (responseType != "code" && responseType != "code id_token") {
          IO(logger.warn(s"Unsupported response_type: $responseType")) *>
            IO(println(s"Unsupported response_type: $responseType")) *> {
              val error = OidcError(
                "unsupported_response_type",
-               Some("Only 'code' response type is supported"),
+               Some("Supported response types: 'code', 'code id_token'"),
                state = state
              )
              redirectWithError(redirectUri, error)
@@ -163,7 +165,7 @@ class AuthEndpoint(
                    logger.info(s"Client validated, showing login form...")
                  ) *>
                    IO(println(s"Client validated, showing login form...")) *>
-                   showLoginForm(clientId, redirectUri, scope, state, nonce)
+                   showLoginForm(clientId, redirectUri, scope, state, nonce, responseType = responseType)
                }
            }
        })
@@ -268,6 +270,7 @@ class AuthEndpoint(
       )
       state = formData.get("state")
       nonce = formData.get("nonce")
+      responseType = formData.get("response_type").getOrElse("code")
 
       _ <- IO(
         logger.info(
@@ -295,7 +298,8 @@ class AuthEndpoint(
               redirectUri,
               scope,
               state,
-              nonce
+              nonce,
+              responseType
             )
         case Left(error) =>
           // Authentication failed - record failed attempt for rate limiting
@@ -316,7 +320,8 @@ class AuthEndpoint(
               scope,
               state,
               nonce,
-              Some("Incorrect username/password")
+              Some("Incorrect username/password"),
+              responseType
             )
       }
     } yield response
@@ -334,13 +339,22 @@ class AuthEndpoint(
       redirectUri: String,
       scope: String,
       state: Option[String],
-      nonce: Option[String]
+      nonce: Option[String],
+      responseType: String = "code"
   ): IO[Response[IO]] = {
     for {
       _ <- statsService.incrementLoginSuccess(user.username)
       code <- codeService
         .generateCode(clientId, redirectUri, user.sub, scope, state, nonce, user.provider)
-      response <- redirectWithCode(redirectUri, code, state)
+      response <- responseType match {
+        case "code id_token" =>
+          for {
+            idToken <- jwtService.generateHybridIdToken(user, clientId, code, state, nonce)
+            resp <- redirectWithCodeAndIdToken(redirectUri, code, idToken, state)
+          } yield resp
+        case _ =>
+          redirectWithCode(redirectUri, code, state)
+      }
     } yield response
   }
 
@@ -350,7 +364,8 @@ class AuthEndpoint(
       scope: String,
       state: Option[String],
       nonce: Option[String],
-      errorMessage: Option[String] = None
+      errorMessage: Option[String] = None,
+      responseType: String = "code"
   ): IO[Response[IO]] = {
 
     IO(logger.info(s"showLoginForm called for clientId: $clientId")) *>
@@ -484,6 +499,7 @@ class AuthEndpoint(
             <input type="hidden" name="client_id" value="${htmlEncode(clientId)}">
             <input type="hidden" name="redirect_uri" value="${htmlEncode(redirectUri)}">
             <input type="hidden" name="scope" value="${htmlEncode(scope)}">
+            <input type="hidden" name="response_type" value="${htmlEncode(responseType)}">
             $stateParam
             $nonceParam
 
@@ -614,6 +630,23 @@ class AuthEndpoint(
     SeeOther(Location(Uri.unsafeFromString(location)))
   }
 
+  /** Redirect with both code and id_token in the fragment (hybrid flow).
+    * Per OIDC Core 3.3.2.5, when response_type includes a token or id_token,
+    * parameters MUST be returned in the URI fragment.
+    */
+  private def redirectWithCodeAndIdToken(
+      redirectUri: String,
+      code: String,
+      idToken: String,
+      state: Option[String]
+  ): IO[Response[IO]] = {
+    val stateParam = state.map(s => s"&state=${java.net.URLEncoder.encode(s, "UTF-8")}").getOrElse("")
+    val location = s"$redirectUri#code=$code&id_token=$idToken$stateParam"
+    IO(logger.info(s"Redirecting with code and id_token (hybrid flow) to: ${redirectUri}#code=...&id_token=...")) *>
+    IO(println(s"Redirecting with code and id_token (hybrid flow)")) *>
+    SeeOther(Location(Uri.unsafeFromString(location)))
+  }
+
   private def redirectWithError(
       redirectUri: String,
       error: OidcError
@@ -634,13 +667,15 @@ object AuthEndpoint {
       codeService: CodeService[IO],
       statsService: StatsService[IO],
       rateLimitService: RateLimitService[IO],
-      config: OidcConfig
+      config: OidcConfig,
+      jwtService: JwtService[IO]
   ): AuthEndpoint =
     new AuthEndpoint(
       authService,
       codeService,
       statsService,
       rateLimitService,
-      config
+      config,
+      jwtService
     )
 }

src/main/scala/com/tesobe/oidc/endpoints/DiscoveryEndpoint.scala

@@ -46,7 +46,7 @@ class DiscoveryEndpoint(config: OidcConfig) {
       jwks_uri = s"${config.issuer}/jwks",
       revocation_endpoint = s"${config.issuer}/revoke",
       registration_endpoint = if (config.enableDynamicClientRegistration) Some(s"${config.issuer}/connect/register") else None,
-      response_types_supported = List("code"),
+      response_types_supported = List("code", "code id_token"),
       subject_types_supported = List("public"),
       id_token_signing_alg_values_supported = List("RS256"),
       scopes_supported = List("openid", "profile", "email"),
@@ -71,7 +71,7 @@ class DiscoveryEndpoint(config: OidcConfig) {
       jwks_uri = s"${config.issuer}/jwks",
       revocation_endpoint = s"${config.issuer}/revoke",
       registration_endpoint = if (config.enableDynamicClientRegistration) Some(s"${config.issuer}/connect/register") else None,
-      response_types_supported = List("code"),
+      response_types_supported = List("code", "code id_token"),
       subject_types_supported = List("public"),
       id_token_signing_alg_values_supported = List("RS256"),
       scopes_supported = List("openid", "profile", "email"),

src/main/scala/com/tesobe/oidc/server/OidcServer.scala

@@ -276,7 +276,8 @@ object OidcServer extends IOApp {
             codeService,
             statsService,
             rateLimitService,
-            config
+            config,
+            jwtService
           )
           tokenEndpoint = TokenEndpoint(
             authService,

src/main/scala/com/tesobe/oidc/tokens/JwtService.scala

@@ -37,7 +37,7 @@ import com.tesobe.oidc.models.{
 import com.tesobe.oidc.config.OidcConfig
 
 import java.security.interfaces.{RSAPrivateKey, RSAPublicKey}
-import java.security.{KeyPair, KeyPairGenerator, SecureRandom}
+import java.security.{KeyPair, KeyPairGenerator, MessageDigest, SecureRandom}
 import java.time.Instant
 import java.util.{Base64, Date}
 import scala.util.{Failure, Success, Try}
@@ -49,6 +49,13 @@ trait JwtService[F[_]] {
       clientId: String,
       nonce: Option[String] = None
   ): F[String]
+  def generateHybridIdToken(
+      user: User,
+      clientId: String,
+      code: String,
+      state: Option[String] = None,
+      nonce: Option[String] = None
+  ): F[String]
   def generateAccessToken(
       user: User,
       clientId: String,
@@ -140,6 +147,59 @@ class JwtServiceImpl(config: OidcConfig, keyPairRef: Ref[IO, KeyPair])
     } yield signedToken
   }
 
+  /** Compute the left-half hash for OIDC hybrid flow claims (c_hash, at_hash, s_hash).
+    * Per OIDC Core 3.3.2.11: SHA-256 the input, take the left half, base64url-encode.
+    */
+  private def computeHalfHash(value: String): String = {
+    val digest = MessageDigest.getInstance("SHA-256").digest(value.getBytes("ASCII"))
+    val leftHalf = digest.take(digest.length / 2)
+    Base64.getUrlEncoder.withoutPadding().encodeToString(leftHalf)
+  }
+
+  /** Generate an ID token for the hybrid flow (response_type=code id_token).
+    * Includes c_hash (code hash) and optionally s_hash (state hash).
+    * at_hash is not included because no access token is returned from the authorization endpoint.
+    */
+  def generateHybridIdToken(
+      user: User,
+      clientId: String,
+      code: String,
+      state: Option[String] = None,
+      nonce: Option[String] = None
+  ): IO[String] = {
+    for {
+      algorithm <- getAlgorithm
+      now = Instant.now()
+      exp = now.plusSeconds(config.tokenExpirationSeconds)
+      issuer = config.issuer
+
+      _ = logger.info(s"Generating hybrid ID token for user: ${user.sub}, client: $clientId")
+
+      cHash = computeHalfHash(code)
+      _ = logger.info(s"Computed c_hash for hybrid ID token: $cHash")
+
+      token = JWT
+        .create()
+        .withIssuer(issuer)
+        .withSubject(user.sub)
+        .withAudience(user.provider.get)
+        .withIssuedAt(Date.from(now))
+        .withExpiresAt(Date.from(exp))
+        .withKeyId(config.keyId)
+        .withClaim("azp", clientId)
+        .withClaim("name", user.name.orNull)
+        .withClaim("email", user.email.getOrElse(s"${user.sub}@noemail.local"))
+        .withClaim("provider", user.provider.getOrElse(config.issuer))
+        .withClaim("c_hash", cHash)
+
+      tokenWithState = state.fold(token)(s => token.withClaim("s_hash", computeHalfHash(s)))
+      tokenWithNonce = nonce.fold(tokenWithState)(n => tokenWithState.withClaim("nonce", n))
+      signedToken = tokenWithNonce.sign(algorithm)
+
+      _ = logger.info(s"Hybrid ID token generated successfully with azp: $clientId, c_hash: $cHash")
+    } yield signedToken
+  }
+
   def generateAccessToken(
       user: User,
       clientId: String,

src/test/scala/com/tesobe/oidc/OidcProviderIntegrationTest.scala

@@ -66,7 +66,8 @@ class OidcProviderIntegrationTest extends AnyFlatSpec with Matchers {
         codeService,
         statsService,
         rateLimitService,
-        testConfig
+        testConfig,
+        jwtService
       )
       tokenEndpoint = TokenEndpoint(
         authService,