Implicit flow

Requirements

  • Public application types.

Setup

  • Client registration in the OAuth server.

    • Client receives ClientID.

    • Not regulated by OAuth.

Limitations

  • No client authentication.

  • No refresh tokens.

Resource owner uses a mobile or client-based Web App.

  • The client.

The client uses the resource server API to get a resource.

  • The resource server redirects the client to the OAuth server.

The OAuth server authenticates the resource owner.

  • And sends an access token to the client.

The client uses again the resource server API to get a resource.

  • This time providing an access token.

Last updated