The Implicit Grant flow for browser-based client-side web applications is very simple. In this flow, an access token is immediately returned to the application after a user grants the requested authorization. An intermediate authorization code is not required as it is in the server-side Web Application flow (see Chapter 2).
Figure 3-1 shows a step-by-step flow diagram, based on a diagram from the specification.
The Implicit Grant flow should be used when
Only temporary access to data is required.
The user is regularly logged into the API provider.
The browser is strongly trusted and there is limited concern that the access token will leak to untrusted users or applications.
The Implicit Grant flow does not accommodate refresh tokens. If the Authorization server expires access tokens regularly, your application will need to run through the authorization flow whenever it needs access.
Some API providers, such as Google, will not reprompt the user for access if the user remains logged in and has approved the required scopes previously. The application can do this “refresh” process in the background as an iframe without any impact on the ...