oauth tutorial - OAuth Implicit Requests and Responses - oauth2 tutorial - oauth authentication
What are implicit requests and responses in OAuth 2.0?
- The implicit grant type is used to obtain access tokens and is optimized for public clients known to operate a particular redirection URI.
- The implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI
- The implicit grant consists of only one request and one response.
Implicit Grant Request
- The implicit grant request type makes separate requests for authorization and for an access token, the client receives the access token as the result of the authorization request.
- These implicit grant request type clients are typically implemented in a browser using a scripting language such as JavaScript.
- Hence ,the implicit grant request contains the following parameters which is given below:
Parameters | Description |
---|---|
response_type | Required. Must be set to token. |
client_id | Required. The client identifier as assigned by the authorization server, when the client was registered. |
redirect_uri | Optional. The redirect URI registered by the client. |
scope | Optional. The possible scope of the request. |
state | Optional (recommended). Any client state that needs to be passed on to the client request URI. |
Implicit Grant Response
- The implicit grant response is similar to the authorization code grant with two distinct differences.
- The Implicit Grant response is an OAuth 2.0 flow that client-side apps use in order to access an API.
- The implicit grant response contains the following parameters which is given below
Parameters | Description |
---|---|
access_token | Required. The access token assigned by the authorization server. |
token_type | Required. The type of the token |
expires_in | Recommended. A number of seconds after which the access token expires. |
scope | Optional. The scope of the access token. |
state | Required, if present in the autorization request. Must be same value as stateparameter in request. |
Implicit Grant Error Response
- If an error occurs during authorization, two situations can occur.
- The first is that the client is not authenticated or is not recognized.
- The authorization server must not redirect the resource owner to the redirect URI.
- It should inform the resource owner of the error.
- The second situation is that client is okay, but that some other has occurred
- If there is the case, the following error response is sent to the client, which is included in the redirect URI:
error | Required. Must be one of a set of predefined error codes. See the specification for the codes and their meaning. |
error_description | Optional. A human-readable UTF-8 encoded text describing the error. Intended for a developer, not an end user. |
error_uri | Optional. A URI pointing to a human-readable web page with information about the error. |
state | Required, if present in authorization request. The same value as sent in the state parameter in the request. |