Implicit Grant Type
Use this grant type when the custom application can't keep client credentials confidential and receives an access token directly from an authorization request rather than through an intermediate authorization code.
The following diagram displays the Implicit Grant Type flow.
In this OAuth flow:
-
A custom application, for example, is implemented in a client-side application using a scripting language such as JavaScript or implemented for a mobile device. The user requests authentication and authorization through the application.
-
The client application prompts the user to provide their credentials.
-
The user enters their credentials.
-
If authorized, the user is redirected to a URL that contains the access token in a URL fragment.
-
The application extracts the access token from the URL.
-
The application uses the access token in a request for protected resources, such as a list of users.
| Function | Available |
|---|---|
| Requires client authentication | No |
| Requires client to have knowledge of user credentials | No |
| Browser-based end user interaction | Yes |
| Can use an external Identity Provider for authentication | Yes |
| Refresh token is allowed | No |
| Access token is in the context of the end user | Yes |
See an example Implicit Grant Type authorization flow.