OAuth2: the Implicit Flow, aka as the Client-Side Flow

OAuth2: the Implicit Flow, aka as the Client-Side Flow

The Implicit Flow (some call it Implicit Grant Flow, too) is called like that, as the required access token is sent back to the client application without the need for an authorization request token. This makes the whole flow pretty easy, but also less secure. As the client application, which is typically JavaScript running within a Browser is less trusted, no refresh tokens for long-lived access are returned. You should use this flow for client-side web applications (JavaScript clients) that need temporary access (a few hours) to the user’s data. Returning an access token to JavaScript clients also means that your browser-based application needs to take special care – think of XSS (Cross-Site Scripting) Attacks that could leak the access token to other systems.

Read more at – OAuth2: the Implicit Flow, aka as the Client-Side Flow

Allidm Identity Access Management Post Image

Tags: ,