Developer Resources

Get Tokens: Implicit Grant Type

The implicit grant is similar to an authorization code grant, however the user agent will receive an access token directly from an authorization request (rather than swapping an intermediate authorization code).

In this flow,

  • the user requests authentication and authorization via the user agent (step 1 below). If authorized, the authorization server will redirect the user to a URL containing the access token in a URL fragment.

  • The client can then parse this from the URL (step 2) to use for requests to protected resources.

Oauth implicit flow

This grant type is suitable for clients that are unable to keep a secret (i.e. client-side applications like JavaScript). The client is mapped to the authorization server via the redirect_uri, as there is no client secret to authenticate the client, the access token will be sent to a specific URL pre-negotiated between the client and the authorization server.

As the access token is provided to the client in the request URI, it is inherently less secure than the authorization code grant type. For this reason, an implicit grant type cannot take advantage of refresh tokens. Only access tokens can be provided via this grant type.

Capability

Browser-based end user interaction

Yes

Can use external IDP for authentication

Yes

Requires client authentication

No

Requires client to have knowledge of user credentials

No

Refresh token allowed

No

Access token is in context of end user

Yes

Sample Client Configuration

For the implicit grant type example below, the following client information will be used:

Admin Label OAuth2 Parameter Example Value

Client ID

client_id

im_client

Allowed Grant Types

response_type

response_type of "token"

Redirect URIs

redirect_uri

sample://oauth2/code/cb

Scope Settings

scope

edit

Getting the Token

To initiate the process, the client application will redirect the user to the authorization endpoint. This redirect will contain the applicable attributes URL encoded and included in the query string component of the URL.

Using the above parameters as an example, the application will redirect the user to the following URL:

https://localhost:9031/as/authorization.oauth2?client_id=im_client&response_type=token&scope=edit&redirect_uri=sample%3A%2F%2Foauth2%2Fimplicit%2Fcb

This will initiate an authentication process using the browser (user agent). Once the user has authenticated and approved the authorization request they will be redirected to the configured URI with the access token included as a fragment of the URL. A refresh token will NOT be returned to the client:

sample://oauth2/implicit/cb#access_token=zzz...yyy&token_type=bearer&expires_in=14400

  • For mobile scenarios, the redirect_uri may be a custom URL scheme which will cause the access token to be returned to the native application.

  • The implicit response is returned via a URL fragment. The fragment is only visible from client-side code. Therefore if you need to parse the values from server-side code, you must post the values to the server for parsing.