The main difference between the two grant types is all about how the aforementioned OAuth2 access token is requested, obtained and handled; in short, how steps 2 and 3 are actually performed.
In a standard implicit flow, these steps are entirely performed by the client-side part of our web app--often using a client-side SDK such as the Facebook JavaScript SDK--and the external provider servers. More specifically:
- The pop-up window (step 2) will directly point to the external provider login/authorization page
- After the login and auth, the OAuth2 access token (step 3) will be directly fetched by the client-side part of our web application and then sent to a dedicated server-side API controller, which will ...