1. Oracle Identity Cloud Service REST APIREST API for Oracle Identity Cloud Service
  2. Use Cases
  3. Using OpenID Connect to Extend OAuth 2.0
  4. Using the Implicit Flow with OpenID Connect

Using the Implicit Flow with OpenID Connect

Use the Implicit flow when you have implemented a browser-based client using a scripting language such as JavaScript. The Access Token and the ID Token are returned directly to the Client, which may expose these tokens to the user and applications that have access to the user's user agent (such as a web browser).

There is no programmatic/back-channel token request involved in this flow (like the Public Client request in the Authorization Code flow example). All tokens are returned from the Authorization endpoint, and the token endpoint isn't used. The Implicit flow works with confidential, trusted, and public clients.

Note:

Public clients don't have credentials, just a client identifier.

The following response_type values are supported with the Implicit flow:

  • id_token (ID Token)

  • token (Access Token)

  • id_token token (both the ID Token and the Access Token)

Obtaining an ID Token

There are three steps in the Implicit flow to obtain an ID Token:

  1. Request the token.

    Request Example

    https://tenant-base-url/oauth2/v1/authorize?client_id=<client_id>&response_type=id_token&redirect_uri=<client_redirect_uri>&scope=address+openid+profile&nonce=abcdefg

  2. User logs in and gives consent (based on the requested scopes)

  3. Response with ID Token

    Response Example

    Note:

    All response parameters are added to the fragment component of the redirection URI. 
    http://tenant-base-url/#id_token=eyJ4NXQjUzI1.....gF5uyQ

Obtaining an Access Token

There are three steps in the Implicit flow to obtain an Access Token:

  1. Request the Access Token.

    Request Example

    https://tenant-base-url/oauth2/v1/authorize?client_id=<client_id>&response_type=token&redirect_uri=<client_redirect_uri>&scope=address+openid+profile

  2. User logs in and gives consent (based on the requested scopes).

  3. Response with Access Token

    Response Example

    Note:

    All response parameters are added to the fragment component of the redirection URI. 
    http://tenant-base-url/#access_token=eyJ4NXQjUzI1...4WGvJQ&token_type=Bearer&expires_in=3600

Obtaining an ID Token and an Access Token

There are three steps in the Implicit flow to obtain both the ID Token and the Access Token:

  1. Request the ID Token and Access Token.

    Request Example 
    https://tenant-base-url/oauth2/v1/authorize?client_id=<client_id>&response_type=id_token token&redirect_uri=<client_redirect_uri>&scope=address+openid+profile&nonce=abcdefghijkl

  2. User logs in and gives consent (based on the requested scopes).

  3. Response with Access Token and ID Token.

    Response Example

    Note:

    All response parameters are added to the fragment component of the redirection URI. 
    http://tenant-base-url/#access_token=eyJ4NXQjUzI....XWGmeQ&id_token=eyJ4NXQjUzI1....&token_type=Bearer&expires_in=3600