The OAuth2 Implicit Grant flow is a simplified version of the Authorization Code Grant. The flow also implies the use of a user agent, and usually the implicit grant is used for public applications/clients, i.e. applications which cannot be trusted with a client secret.
Important: The Implicit Grant is considered deprecated by the IETF; it is recommended against implementing new applications using this flow, even though there are no new threats known against it. The Authorization Code Grant with the PKCE Extension is the recommended way. Wicked also supports this, but will keep the Implicit Grant for backwards compatibility.
Typical examples of such applications can be single page applications which do not have a server part but only uses stateless APIs to communicate with some backend.
In a short overview, the flow works like this:
#
hash).
Fragments are not passed on to the backend service (which can be a static web server) but is only kept
client side.The calling application must redirect to the correct Authorization Server /authorize
end point.
The URL of this endpoint depends on the authentication method, and on the API. The URL is displayed
for each supported Authentication Method at the top of each API page.
https://api.fs-nge-int.haufe.io/auth/(auth method id)/api/(api id)/authorize?client_id=(your client id)&redirect_uri=(redirect URI of your application)&response_type=token&scope=(space separated list of scopes)
All parameteters except the scope (depending on the API) are mandatory. The correct URL for valid combinations of API and Authentication Method can be seen on the API page.
Note the use of response_type=token
, as opposed to response_type=code
for the Authorization Code Grant.
The Authorization Server will now verify the user's identity, and also check whether the application is either implicitly (because it is a trusted application/subscription), or explicitly allowed to access the API on behalf of the user. In case the user has not yet consented to the application accessing the API on behalf of the user, wicked will ask the user to grant access to the application, so that it can access the API on behalf of the user.
If the end user's identity can be verified, and the client ID and redirect URI are correct, the Authorization Server will immediately create an access token which is passed back to the calling application in a redirect of the user agent:
https://app.yourcompany.com/#access_token=(access token)&expires_in=3600&token_type=bearer
Note that this flow does not give the application a refresh token back. The token expiration depends on the API configuration and can vary between APIs.
With the returned access token, you may now access the API using the token as a bearer token:
curl -H 'Authorization: Bearer (access token)' https://api.fs-nge-int.haufe.io/(api endpoint)
The actual API endpoint is also displayed on the API's page.
As already described, the implicit grant does not return a refresh token to the calling application. It is still possible to renew the access token under certain circumstances:
iframe
sBy calling the same authorization end point again, but with an additional parameter &prompt=none
,
the Authorization Server will try to perform a headless authorization for the client application, and immediately
return a new access token via 302
redirect:
https://api.fs-nge-int.haufe.io/auth/(auth method id)/api/(api id)/authorize?client_id=(your client id)&redirect_uri=(redirect URI of your application)&response_type=token&scope=(space separated list of scopes)&prompt=none
By letting this run in a hidden iframe
, the renewal of the access token can be done without the end
user actually noticing.