Chapter 3. Client-Side Web Applications Flow

The Implicit Grant flow for browser-based client-side web applications is very simple. In this flow, an access token is immediately returned to the application after a user grants the requested authorization. An intermediate authorization code is not required as it is in the server-side Web Application flow (see Chapter 2).

Figure 3-1 shows a step-by-step flow diagram, based on a diagram from the specification.

Client-Side Web Applications flow: Step-by-step
Figure 3-1. Client-Side Web Applications flow: Step-by-step

When Should the Implicit Grant Flow Be Used?

The Implicit Grant flow should be used when

  • Only temporary access to data is required.

  • The user is regularly logged into the API provider.

  • The OAuth client is running in the browser (using JavaScript, Flash, etc.).

  • The browser is strongly trusted and there is limited concern that the access token will leak to untrusted users or applications.

Limitations of the Implicit Grant Flow

The Implicit Grant flow does not accommodate refresh tokens. If the Authorization server expires access tokens regularly, your application will need to run through the authorization flow whenever it needs access.

Some API providers, such as Google, will not reprompt the user for access if the user remains logged in and has approved the required scopes previously. The application can do this “refresh” process in the background as an iframe without any impact on the ...

Get Getting Started with OAuth 2.0 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.