Implicit grant type is recommended used to use to obtain access tokens if if your application (client) is a mobile application or a browser based app such as a JavaScript client. Like in Authorization code GrantSimilar to authorization code grant, implicit Grant grant type is also based in redirection flow but the redirection URI includes the access token in the URI fragment. Because of thatTherefore, the client application is capable of interacting with the resource owner user agent to obtain the access token from the redirection URI which is sent from the authorization server.
The implicit grant type does not require client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. The resource owner needs to authenticate with the authorization server to obtain the access token. Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other applications residing in the same device.
The diagram below depicts the flow of Implicit Grant.
The client requests for the access token with the client ID and grant type, with optional parameters.
Since the resource owner authenticates directly with the authorization server, his/her credentials will not be shared with the client.
The Authorization Server sends the Access token in through a URI fragment to the client.
Client extract The client extracts the token from the fragment and send sends the API request to the Resource Server with the access token.
| Note |
|---|
With this grant, the The refresh token will not be issued for the client with this grant, as the client type is public. Also note that, the implicit grant does not include client authentication because it does not make use of client secret. |
Invoking the Token API to generate tokens
In his this example we are using use the WSO2 Playground, which is hosted as a web application, to obtain the access token with implicit grant.
| Note | ||
|---|---|---|
| ||
The following instructions use the sample playground webapp. See For instructions on how to set up the sample webapp, see Setting up the Sample Webapp and follow the steps to setup the sample webapp. |
- Login to WSO2 API Manager Store and create an application as below.
Go to production keys tab in the created application, Add http://localhost:8080/playground2/oauth2client as the callback URL and click Generate Keys.
Note Make sure you have select implicit from the Grant Types before generating keys.
- Go to playground app http://wso2is.local:8080/playground2/index.jsp and click import photos.
Give the information in the table below and click Authorize.
Field Sample Value Authorization Grant Type Implicit Client Id Consumer Key obtained for your application Scope The scope you have selected for you application Callback URL The callback URL of your application Authorize Endpoint https://localhost:9443/oauth2/authorize
The playground application redirects to the login page. Enter you username and password and click Sign In.
Click Approve to provide access to your information.
You will receive the access token as follows
...