1. Oracle Identity Cloud Service REST APIREST API for Oracle Identity Cloud Service
  2. Managing Authorization
  3. Access Grant Types
  4. Implicit Grant Type
  5. Example Authorization Flow

Example Authorization Flow

This Implicit grant type authorization example describes the authorization flow for applications that are implemented in a Web browser using a scripting language such as JavaScript or implemented on a mobile device. An access token is returned to the client through a browser redirect in response to the resource owner authorization request (rather than an intermediate authorization code).

When you create an application for client-side application authorization in the Oracle Identity Cloud Service administration console UI:

  • Specify that this is a Mobile Application type.

  • Select Implicit as the grant type. This type of application cannot keep a secret and runs on an unauthenticated web browser or a mobile device.

See Implicit Grant Type for more information on the Implicit grant type and an authorization flow diagram.

Processing Steps

  1. A user clicks a Login link in their browser application or taps a Login button on their device, requesting access to protected resources from a client application.

  2. The client redirects the browser to the Oracle Identity Cloud Service OAuth Authorization Server with a request for authorization.

    The login URL contains query parameters that indicate the type of access being requested:

    Example Request 
    https://acme.identity.us.oraclecloud.com/oauth2/v1/authorize?client_id=<client-id>&response_type=token&redirect_uri=<client-redirect-uri>&scope=<scope>&nonce=<nonce-value>

    Note:

    A nonce value is a cryptographically strong random string that you use to prevent intercepted responses from being reused.

  3. If the user is not already logged in, the Oracle Identity Cloud Service OAuth Authorization Server challenges the user to authenticate. The OAuth Authorization Server authenticates the user and provides a consent page for the user to authorize the sharing of information.

  4. After the user authorizes, the Oracle Identity Cloud Service OAuth Authorization Server redirects the browser to the requesting site with an access token.

    Note:

    If the user does not authenticate, an error is returned rather than the access token.

  5. The access token is returned containing all applicable Oracle Identity Cloud Service scopes based on the privileges represented by the Oracle Identity Cloud Service application roles granted to the requesting client application and the user being specified by the client's request (if present).

  6. The requesting site uses the access token in an API call to obtain protected data.