If you are building a Single-Page Application (SPA) that runs in older browsers that don't support Web Crypto for PKCE, then the Implicit flow is the recommended method for controlling access between your SPA and a resource server. The Implicit flow is intended for applications where the confidentiality of the client secret can't be guaranteed. In this flow, the client doesn't make a request to the
/token endpoint, but instead receives the access token directly from the
/authorize endpoint. The client must be capable of interacting with the resource owner's user agent and capable of receiving incoming requests (through redirection) from the authorization server.
Note: For SPAs running in modern browsers that support Web Crypto for PKCE, we recommend using the Authorization Code Flow with PKCE instead for maximum security.
At a high level, the Implicit flow has the following steps:
For more information on the Implicit flow, see our OAuth 2.0 overview.Next: