Chapter 3. Client-Side Web Applications Flow

The Implicit Grant flow for browser-based client-side web applications is very simple. In this flow, an access token is immediately returned to the application after a user grants the requested authorization. An intermediate authorization code is not required as it is in the server-side Web Application flow (see Chapter 2).

Figure 3-1 shows a step-by-step flow diagram, based on a diagram from the specification.

Client-Side Web Applications flow: Step-by-step

Figure 3-1. Client-Side Web Applications flow: Step-by-step

When Should the Implicit Grant Flow Be Used?

The Implicit Grant flow should be used when

  • Only temporary access to data is required.

  • The user is regularly logged into the API provider.

  • The OAuth client is running in the browser (using JavaScript, Flash, etc.).

  • The browser is strongly trusted and there is limited concern that the access token will leak to untrusted users or applications.

Get Getting Started with OAuth 2.0 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial