The implicit grant is similar to an authorization code grant, however the user agent will receive an access token directly from an authorization request (rather than swapping an intermediate authorization code).
In this flow, the user requests authentication and authorization via the user agent (step 1 below). If authorized, the authorization server will redirect the user to a URL containing the access token in a URL fragment. The client can then parse this from the URL (step 2) to use for requests to protected resources.
This grant type is suitable for clients that are unable to keep a secret (i.e. client-side applications like JavaScript). The client is mapped to the authorization server via the redirect_uri, as there is no client secret to authenticate the client, the access token will be sent to a specific URL pre-negotiated between the client and the authorization server.
As the access token is provided to the client in the request URI, it is inherently less secure than the authorization code grant type. For this reason, an implicit grant type cannot take advantage of refresh tokens. Only access tokens can be provided via this grant type.
| Capability | |
|---|---|
| Browser-based end user interaction | Yes |
| Can use external IDP for authentication | Yes |
| Requires client authentication | No |
| Requires client to have knowledge of user credentials | No |
| Refresh token allowed | No |
| Access token is in context of end user | Yes |