Implicit grant type is recommended used to use to obtain access tokens if if your application (client) is a mobile application or a browser based app such as a JavaScript client. Like in Authorization code Grant, implicit Grant Similar to authorization code grant, the implicit grant type is also based in on redirection flow but the . The redirection URI includes the access token in the URI fragment. Because of thatTherefore, the client application is capable of interacting with the resource owner user agent to obtain the access token from the redirection URI which is sent from the authorization server.
The implicit grant type does not require client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. The resource owner needs to authenticate with is authenticated by the authorization server to obtain the access token. Because the The access token is encoded into the redirection URI, it . This may be exposed to the resource owner and other applications residing in inside the same device.
The diagram below depicts the flow of Implicit Grant.
The client requests for the access token with the client ID and grant type with , and other optional parameters.
Since the resource owner authenticates directly with the authorization server, his/her their credentials will not be shared with the client.
The Authorization Server sends the Access access token in through a URI fragment to the client.
Client extract The client extracts the token from the fragment and send sends the API request to the Resource Server with the access token.
Note |
---|
With this grant, the The refresh token will not be issued for the client with this grant, as the client type is public. Also note that , the implicit Implicit grant does not include client authentication because it does not make use of the client secret . |
Invoking the Token API to generate tokens
In his example we are using WSO2 Playground hosted as a web application to obtain the access token with implicit grant.
Setup WSO2 Playground sample webapp in a Application server. You can use WSO2 Identity Server to host the web application following below steps.
...
You can check out the repository of the OAuth 2.0 sample from GitHub. Follow the instructions here tocheckout the folder. We refer <SAMPLE_HOME> as the modules/samples folder inside the folder where the product-is repository is checked out.
...
Open a terminal window and add the following entry to the /etc/hosts
file of your machine to configure the hostname.
Info | ||
---|---|---|
| ||
Some browsers do not allow you to create cookies for a naked hostname, such as The
|
Code Block | ||
---|---|---|
| ||
127.0.0.1 wso2is.local |
...
In your command line, navigate to <SAMPLE_HOME>/oauth2/playground2
in the folder you checked out and build the sample using the following command. You must have Apache Maven installed to do this (see Installation Prerequisites for the appropriate version to use).
Code Block |
---|
mvn clean install |
...
After successfully building the sample, a .war
file named playground2 can be found inside the <SAMPLE_HOME>/oauth2/playground2/target
folder. Deploy this sample web app on a web container. To do this, use the Apache Tomcat server.
Note |
---|
Since this sample is written based on Servlet 3.0 it needs to be deployed on Tomcat 7.x. |
Use the following steps to deploy the web app in the web container:
- Stop the Apache Tomcat server if it is already running.
- Copy the
playground2.war
file to the<TOMCAT_HOME>/webapps
folder. - Start the Apache Tomcat server.
...
Make sure to update param-value the following parameter in the WEB-INF/web.xml
file with the serverurl of the Identity Server if required. Service URL should have the port the application is started up with. If you have started the Identity Serve with anoff set, then the matching port should be configuredhear.
Code Block |
---|
<init-param>
<description>serverUrl</description>
<param-name>serverUrl</param-name>
<param-value>https://localhost:9443/services/</param-value>
</init-param> |
Info |
---|
Note that |
...
Update param-value of the parameters below with credentials of an admin user if required.
Code Block |
---|
<init-param>
<description>userName</description>
<param-name>userName</param-name>
<param-value>admin</param-value>
</init-param>
<init-param>
<description>password</description>
<param-name>password</param-name>
<param-value>admin</param-value>
</init-param> |
...
Update the hostname
in etc/hosts
to wso2is.local
or something similarly appropriate.
Restart Apache Tomcat and access http://wso2is.local:8080/playground2/
(assuming Tomcat is running on HTTP port 8080). You are directed to the landing page of the sample application. Click on Import Photos and the following page appears.
...
of the application |
The following parameters are required to implement the Implicit grant type in WSO2 API Manager.
Name | Description | Sample value |
---|---|---|
scope | The OAuth scope you are requesting for the particular token | openid |
response_type | The required response format | id_token |
redirect_uri | The URL of the Oauth application requesting for the token | http://localhost:8080/playground2/oauth2client |
nonce | Any random value | 13e2312637dg136e1 |
client_id | Client ID of the OAuth application | mzdQQ0RZOIqAf549ucIImB4h0SIa |
An example is given below :
Code Block |
---|
https://localhost:8243/authorize
scope=openid
&response_type=id_token
&redirect_uri=http://localhost:8080/playground2/oauth2client
&nonce=13e2312637dg136e1
&client_id=mzdQQ0RZOIqAf549ucIImB4h0SIa |
Invoking the Token API to generate tokens
In this example we use the WSO2 Playground, which is hosted as a web application, to obtain the access token with implicit grant.
Note | ||
---|---|---|
| ||
The following instructions use the sample playground webapp. For instructions on how to set up the sample webapp, see Setting up the Sample Webapp. |
- Login to WSO2 API Manager Store and create an application as shown below.
Go to
productionthe Production keys tab
infor the
createdapplication
,. Add http://localhost:8080/playground2/oauth2client as the
callback URL, select implicit from the Grant TypesCallback URL. Select Implicit from the list of grant types and click Generate Keys.
Visit the URLNote The Implicit grant and Code grant type checkboxes are disabled by default in the UI. To enable selecting the checkboxes, enter the Callback URL for the application.
- Go to playground app http://wso2is.local:8080/playground2/oauth2index.jsp to start the web application and click import photos.
Give the information in the table below and click Authorize.
Field Sample Value Authorization Grant Type Implicit Client Id Consumer Key obtained for your application Scope The scope you have selected for you application Callback URL The callback URL of your application Authorize Endpoint https://localhost:8243/authorize
The playground application redirects to the login page. Enter you username and password and click Sign In.
Click Approve to provide access to your information.
You will receive the access token as follows
Note |
---|
For users to be counted in the Registered Users for Application statistics, which takes the number of users shared each of the Application, they have to generate access tokens using Password Grant type. |