Rate this page

Implicit Grant Type

This flow is intended for use by mobile applications or client-side web applications with no server-side component. The implicit grant type is a good choice for applications that cannot guarantee the confidentiality of the client secret.

Authorization request

In this flow, the client makes a request to the server’s authorization endpoint. If the request contains the id_token response type and the openid scope, then it is considered an authentication (OpenID Connect) request, and an ID token will be issued.

GET /oauth/authorize

Parameter Required? Description
response_type yes Value must be token, id_token, or token id_token. If token is specified, only an access token will be issued. If id_token is specified, only an ID token will be issued. If token id_token is specified, both an access token and an ID token will be issued.
client_id yes The client ID.
redirect_uri no A redirect URI registered to the client. The authorization response will redirect to this URI.
scope no A space-delimited set of scope names. If omitted, the client’s default scopes are used.
state no A value that the client may use to maintain state between the request and the redirect response. This can be used to mitigate the possibility of CSRF attacks.
nonce yes A value that the client may use to associate a client-specific session with the end user’s authentication state at the server. This will be passed through as-is to the ID token.
prompt no Used by the client to direct the server’s behavior when logging in or prompting the end user for consent. Value may be none, login, consent, or login consent.
max_age no A value that the client may use to specify the maximum elapsed time in seconds since the user was last authenticated. This allows the client to force re-authentication after the given interval.
acr_values no A space-delimited set of authentication context class reference values. This allows the client to dictate the security level of an authentication request; the server may require second factor authentication based on this parameter.

Scopes requested using this grant type must be of type Generic or Authenticated Identity.

Example authorization request:

https://example.com/oauth/authorize?response_type=token+id_token
&client_id=<clientId>
&redirect_uri=https://example.com/callback/
&scope=openid+email
&state=RGV1cyBlc3Qgc3BoYWVyYSBpbmZpbml0YSBjdWl1cyBjZW50cnVtIGVzdCB1YmlxdWUsIGNpcmN1bWZlcmVudGlhIG51c3F1YW0=
&nonce=SSBzcGVhayBKaXZlCg

Authorization response

If the user authorizes the request, then the browser will be redirected to the client’s redirect URI, with the response parameters, including the access token, appended to the URI’s fragment; that is, as a set of key/value pairs following the # character. The contents of the URI fragment are always available to client-side code but are typically not logged by servers.

Parameter Provided? Description
access_token The access token. Always returned if the response_type value was token or token id_token.
token_type The access token type. The value is always Bearer. Always returned if the response_type value was token or token id_token.
id_token The ID token, if one was requested. Always returned if the response_type value was id_token or token id_token.
state The same state value provided in the authorization request.
expires_in A value in seconds indicating the lifetime of the access token. Always returned if the response_type value was token or token id_token.
scope always A space-delimited set of the scopes actually granted. This may be a subset of the requested scopes.

Example authorization redirect response:

https://example.com/callback/#access_token=eyJraWQiOiJBY2Nlc3MgVG9rZW4gU2lnbmluZyBLZXkgUGFpciIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJVc2Vyc1wvOTkyM2RiYjgtZTdjNi00NjlmLWI3ZGItYWY3OTMxNzc0MDQ0Iiwic2NvcGUiOiJvcGVuaWQgZW1haWwiLCJleHAiOjE0NzUzMzc4NTUsImlhdCI6MTQ3NDkwNTg1NSwiY2xpZW50X2lkIjoidGVzdDEiLCJqdGkiOiJhLnllWGo3USJ9.BCtPo2cBs9ovSOQnAK7nHOQrxgQiD3by82B-Jbz3Adm2Pr9-LcxMBJ0XVDT_w5JkW1tVE4_lfUITr2Zme72xA-7Pr_jAi-IZAbTAryrt80tphWRasNto7zupc7YjX9qXHLJiq_3hqjA5cQshSZevepION5OHHMeu0Sw_lkJVi5vZatZVdes7e28hD8lJmcmQPK6C3Q6MgSzOLs-OyYAdQd7nUjkigrLpke0OzDsAygAkBU4VIPm2Jn5db7KkjJ3H0BCekRqY8E2e4mbGf0ltlxTOqc7uaMPDt8YNVnFjv8_IY16GzFc1lx9-SOMGy8kSqg5A8jTRhgiDOTzcUtkm7g
&token_type=bearer
&state=RGV1cyBlc3Qgc3BoYWVyYSBpbmZpbml0YSBjdWl1cyBjZW50cnVtIGVzdCB1YmlxdWUsIGNpcmN1bWZlcmVudGlhIG51c3F1YW0=
&id_token=eyJraWQiOiJyc2EtaWR0b2tlbiIsImFsZyI6IlJTMjU2In0.eyJhdF9oYXNoIjoiWExXSG5LTHBVczc0cC1SbzZocEI1dyIsImFjciI6IkRlZmF1bHQiLCJzdWIiOiJVc2Vyc1wvOTkyM2RiYjgtZTdjNi00NjlmLWI3ZGItYWY3OTMxNzc0MDQ0IiwiYXVkIjoidGVzdDEiLCJhbXIiOlsicHdkIl0sImF1dGhfdGltZSI6MTQ3NDg5ODE4NCwiaXNzIjoiaHR0cHM6XC9cL2V4YW1wbGUuY29tIiwiZXhwIjoxNDc0OTA2NzU1LCJpYXQiOjE0NzQ5MDU4NTUsIm5vbmNlIjoiU1NCemNHVmhheUJLYVhabENnIn0.Xp34PK5MU9E-1bkvm5ved_21JL4DxLQm1O9P02eobmgg1PBACSdd2rysTmEILviKkFYdUU5jEG-Vx64ucfRuaPqIdBqAyJyob240dQzgLuXhVNCeBd4sE2UV79fsifjVtHY3Mnr-4V0Zo9dxcNncHralddkWDo_M2VzYU4GD6rSg2T1bBrqPqbEpGiLvsgme7dqwgSjDkrSnDvWvIfuGn4u42VH4tsf0eOfpviG0qUnoo42EHLpY-2O7xCkqGwLVBBQOzHzOtGAw-P3Ug7I3EoBKXZJ6Bu1y7RX8vz22j6nRWZQ9GX3LbeT0onhN5r6IDjuhrhwz7LgA0Zx3YZsfCA