Implicit Grant

The implicit grant is similar to the authorization code grant with two distinct differences.

  • It is used for user-agent-based clients. For example, single page web apps that cannot keep a client secret because all the application code and storage is easily accessible.

  • Secondly, instead of the authorization server returning an authorization code which is exchanged for an access token, the authorization server returns an access token.

The following diagram describes the workflow of Impicit grant.

The workflow for implicit grant includes the following steps:

  1. The OAuth client initiates the flow by directing the user agent of the resource owner to the authorization endpoint. The OAuth client includes its client identifier, requested scope, local state, and a redirection URI. The authorization server sends the user agent back to the redirection URI after access is granted or denied.

  2. The authorization server authenticates the resource owner through the user agent and verifies whether the resource owner grants or denies the access request.

  3. If the resource owner grants access, the authorization server redirects the user agent back to the client using the redirection URI provided earlier. The redirection URI includes the access token in the URI fragment.

  4. The user agent follows the redirection instructions by making a request to the web server without the fragment. The user agent retains the fragment information locally.

  5. The web server returns a web page, which is typically an HTML document with an embedded script. The web page accesses the full redirection URI including the fragment retained by the user agent. It can also extract the access token and other parameters contained in the fragment.

  6. The user agent runs the script provided by the web server locally, which extracts the access token and passes it to the client.