Using the Implicit Flow with OpenID Connect
Use the Implicit flow when you have implemented a browser-based client using a scripting language such as JavaScript. The Access Token and the ID Token are returned directly to the Client, which may expose these tokens to the user and applications that have access to the user's user agent (such as a web browser).
Authorization
endpoint, and the
token
endpoint isn't used. The Implicit flow works with confidential, trusted, and public clients.
Note:
Public clients don't have credentials, just a client identifier.The following response_type
values are supported with the Implicit flow:
-
id_token
(ID Token) -
token
(Access Token) -
id_token token
(both the ID Token and the Access Token)
Obtaining an ID Token
-
Request the token.
Request Example
https://tenant-base-url/oauth2/v1/authorize?client_id=<client_id>&response_type=id_token&redirect_uri=<client_redirect_uri>&scope=address+openid+profile&nonce=abcdefg
-
User logs in and gives consent (based on the requested scopes)
-
Response with ID Token
Response Example
Note:
All response parameters are added to the fragment component of the redirection URI.http://tenant-base-url/#id_token=eyJ4NXQjUzI1.....gF5uyQ
Obtaining an Access Token
There are three steps in the Implicit flow to obtain an Access Token:
-
Request the Access Token.
Request Example
https://tenant-base-url/oauth2/v1/authorize?client_id=<client_id>&response_type=token&redirect_uri=<client_redirect_uri>&scope=address+openid+profile
-
User logs in and gives consent (based on the requested scopes).
-
Response with Access Token
Response Example
Note:
All response parameters are added to the fragment component of the redirection URI.http://tenant-base-url/#access_token=eyJ4NXQjUzI1...4WGvJQ&token_type=Bearer&expires_in=3600
Obtaining an ID Token and an Access Token
-
Request the ID Token and Access Token.
Request Examplehttps://tenant-base-url/oauth2/v1/authorize?client_id=<client_id>&response_type=id_token token&redirect_uri=<client_redirect_uri>&scope=address+openid+profile&nonce=abcdefghijkl
-
User logs in and gives consent (based on the requested scopes).
-
Response with Access Token and ID Token.
Response ExampleNote:
All response parameters are added to the fragment component of the redirection URI.http://tenant-base-url/#access_token=eyJ4NXQjUzI....XWGmeQ&id_token=eyJ4NXQjUzI1....&token_type=Bearer&expires_in=3600