Overview#Implicit Flow is the OAuth 2.0 Protocol Flow for the Implicit Grant which would typically be used with a OAuth Public Client as is often encountered in Mobile Apps where the OAuth Client can NOT be trusted with Credentials.
Since this is a redirection-based flow, the client must be capable of interacting with the Resource Owner's User-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the Authorization Server.
Unlike the Authorization Code Grant type, in which the client makes separate requests for authorization and for an Access Token, the client receives the Access Token as the result of the authorization request.
Implicit Flow has always been seen as a compromise compared to the Authorization Code flow. For example, the spec provides no mechanism to return a Refresh_token in the Implicit Flow, as it was seen as too insecure to allow that. The spec also recommends short lifetimes and limited scope for access tokens issued via the Implicit Flow.
The implicit grant type does not include client authentication, and relies on the presence of the Resource Owner and the registration of the redirection URI. Because the Access Token is encoded into the redirection URI, the Access Token may be exposed to the Resource Owner and other applications residing on the same device.
+----------+ | Resource | | Owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI --->| | | User- | | Authorization | | Agent -|----(B)-- User authenticates -->| Server | | | | | | |<---(C)--- Redirection URI ----<| | | | with Access Token +---------------+ | | in Fragment | | +---------------+ | |----(D)--- Redirection URI ---->| Web-Hosted | | | without Fragment | Client | | | | Resource | | (F) |<---(E)------- Script ---------<| | | | +---------------+ +-|--------+ | | (A) (G) Access Token | | ^ v +---------+ | | | Client | | | +---------+
(A) #The client initiates the flow by directing the resource owner's User-agent to the Authorization_endpoint. The client includes:
- requested OAuth Scopes
- local state
- redirect_uri - to which the authorization server will send the User-agent back once access is granted (or denied).
(B)#The Authorization Server authenticates the Resource Owner (via the User-agent) and establishes whether the Resource Owner grants or denies the client's access request.
(C)#Assuming the Resource Owner grants access, the Authorization Server redirects the User-agent back to the client using the Redirect URI provided earlier. The Authorization Response includes:
- Access Token in the URI fragment