The Implicit Grant is a simplified Authorization Code Flow optimized for clients implemented in a browser using a scripting language such as JavaScript.

In the Implicit Grant, instead of issuing the client an Authorization Code, the OAuth Client is issued an Access Token directly (as the result of the Resource Owner authorization). The Grant Type is implicit, as no intermediate credentials (such as an Authorization Code) are issued (and later used to obtain an Access Token).

When issuing an Access Token during the Implicit Grant flow, the Authorization Server does not authenticate the OAuth Client. In some cases, the OAuth Client identity can be verified via the redirection URI used to deliver the Access Token to the OAuth Client. The Access Token may be exposed to the Resource Owner or other applications with access to the Resource Owner's user-agent.

Implicit Grants improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an Access Token. However, this convenience should be weighed against the security implications of using Implicit Grants, such as those described in Sections 10.3 and 10.16, especially when the Authorization Code Grant Type is available.

There are NO Refresh Tokens with an Implicit Grant

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-3) was last changed on 15-Jun-2015 16:20 by jim