OAuth - Implicit Grant and flow



The implicit grant is a grant type (flow) that issued directly an access token. (It does not support the issuance of refresh tokens).

This grant type is called implicit, as no intermediate credentials (such as an authorization code) are issued).

It's indirect and redirection-based flow that is optimized for public clients implemented in a browser using a scripting language such as JavaScript.

The implicit grant type does not include client authentication, and relies on:

Pro and Cons

Implicit grants improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token. However, this convenience should be weighed against the security implications of using implicit grants, such as those described in Sections 10.3 and 10.16, especially when the authorization code grant type is available.

Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other applications residing on the same device.

ie sending the access token in the URL can be a security vulnerability. For example the token could be leaked through web server logs and or browser history.

Documentation / Reference

Discover More
Cognito Js Auth App Client Settings
Cognito - Js Auth Sdk

This page is the Cognito Javascript Auth SDK (Amazon Cognito Auth SDK) It leverages the built-in hosted UI webpages: , , , multi-factor authentication...
OAuth - Token Endpoint

The token endpoint is an authorization endpoint used by the client to obtain an access token by presenting its: authorization grant or refresh token. The token endpoint is used with every authorization...
Oauth - Authorization

The access authorization from the resource owner is expressed in the form of an authorization grant. The client gets a grant and uses it to request access token (except in the implicit grant that send...
Oauth - Authorization Grant (Resource Owner Authorization|Authorization Credentials)

An Authorization Grant is a credential representing the resource owner's authorization to access its protected resources. The flow for each type of grant is expressed using grant type: one of four...
Oauth - Client (App)

client is one of the 4 roles of the Oauth specification. In its most basic form, it's a web site used by a end-user. In more details, it's is a (first-party or third party service application making...
Oauth - Flow (Abstract Protocol Flow)

The abstract OAuth 2.0 flow describes the interaction between the four roles. For each type of grant, you got a flow: Type / Flow Description Client Type (Public / Private) Direction Type Redirection...
What is a Oauth Access Token?

This page talks access token in the context of the OAuth specification. An access token is a token representing an access authorization created during: a implicit grant flow or a authorization code...
What is the OAuth Authorization Endpoint?

The authorization endpoint is one of two endpoints of the authorization server. It's used by the client (app) to obtain authorization from the resource owner in the form of a authorization grant via...

Share this page:
Follow us:
Task Runner