The implicit grant is similar to an authorization code grant, however the user agent will receive an access token directly from an authorization request (rather than swapping an intermediate authorization code).
In this flow, the user requests authentication and authorization via the user agent (step 1 below). If authorized, the authorization server will redirect the user to a URL containing the access token in a URL fragment. The client can then parse this from the URL (step 2) to use for requests to protected resources.
As the access token is provided to the client in the request URI, it is inherently less secure than the authorization code grant type. For this reason, an implicit grant type cannot take advantage of refresh tokens. Only access tokens can be provided via this grant type.
|Browser-based end user interaction||Yes|
|Can use external IDP for authentication||Yes|
|Requires client authentication||No|
|Requires client to have knowledge of user credentials||No|
|Refresh token allowed||No|
|Access token is in context of end user||Yes|