Implicit Grant Type

Use this grant type when the custom application can't keep client credentials confidential and receives an access token directly from an authorization request rather than through an intermediate authorization code.

The following diagram displays the Implicit Grant Type flow.

A diagram that illustrates the Implicit Grant Type flow.

In this OAuth flow:

  1. A custom application, for example, is implemented in a client-side application using a scripting language such as JavaScript or implemented for a mobile device. The user requests authentication and authorization through the application.

  2. The client application prompts the user to provide their credentials.

  3. The user enters their credentials.

  4. If authorized, the user is redirected to a URL that contains the access token in a URL fragment.

  5. The application extracts the access token from the URL.

  6. The application uses the access token in a request for protected resources, such as a list of users.

Function Available
Requires client authentication No
Requires client to have knowledge of user credentials No
Browser-based end user interaction Yes
Can use an external Identity Provider for authentication Yes
Refresh token is allowed No
Access token is in the context of the end user Yes

See an example Implicit Grant Type authorization flow.