Versions Compared

Old Version 16

changes.mady.by.user Former user

Saved on

compared with

New Version 17

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Tested and updated

Implicit grant type is used to obtain access tokens if your application (client) is a mobile application or a browser based app such as a JavaScript client. Similar to authorization code grant, the implicit grant type is also based in on redirection flow but the . The redirection URI includes the access token in the URI fragment. Therefore, the client application is capable of interacting with the resource owner user agent to obtain the access token from the redirection URI which is sent from the authorization server.

The implicit grant type does not require client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. The resource owner needs to authenticate with is authenticated by the authorization server to obtain the access token. Because the The access token is encoded into the redirection URI, it . This may be exposed to the resource owner and other applications residing in inside the same device.

The diagram below depicts the flow of Implicit Grant.

  1. The client requests for the access token with the client ID and grant type, with and other optional parameters.

  2. Since the resource owner authenticates directly with the authorization server, his/her their credentials will not be shared with the client.

  3. The Authorization Server sends the Access access token through a URI fragment to the client.

  4. The client extracts the token from the fragment and sends the API request to the Resource Server with the access token.

Note

The refresh token will not be issued for the client with this grant, as the client type is public. Also note that, the implicit grant does not include client authentication because it does not make use of client secret.

Invoking the Token API to generate tokens  

In this example we use the WSO2 Playground, which is hosted as a web application, to obtain the access token with implicit grant.

...

  1. Login to WSO2 API Manager Store and create an application as below.
    Image RemovedImage Added

  2. Go to production keys tab in the created application, Add http://localhost:8080/playground2/oauth2client as the the callback URL,select implicit in the given  select implicit from the grant type list list and click Generate Keys. 

    Note

    By default the implicit and code grant type selection checkboxes are disabled in the UI. You need to enter the callback URL first to enable selecting the implicit grant type.

    Image RemovedImage Added

  3. Go to playground app http://wso2is.local:8080/playground2/index.jsp and click click import photos.
    Image RemovedImage Added

  4. Give the information in the table below and click Authorize.

    FieldSample Value
    Authorization Grant TypeImplicit
    Client IdConsumer Key obtained for your application
    ScopeThe scope you have selected for you application
    Callback URLThe callback URL of your application
    Authorize Endpointhttps://localhost:
    9443
    8243/oauth2/authorize

    Image RemovedImage Added

  5. The playground application redirects to the login page. Enter you username and password and click Sign In.

  6. Click Approve to provide access to your information.

  7. You will receive the access token as follows 

    access-token.pngImage Modified

Note

Note that for users to be counted in the Registered Users for Application statistics which takes the number of users shared each of the Application, they should have to generate access tokens using Password Grant type.

...