Implicit Flow (EN)

Definition

The Implicit Flow is an OAuth 2.0 flow specifically designed for single-page applications. Unlike the Authorization Code Flow, this flow involves a direct return of the access token without exchanging an authorization code. However, this flow poses security risks and should be avoided for web applications as it does not require token signatures.

Data Flow

sequenceDiagram   participant User   participant Client   participant Authorization Server   participant Resource Server    User->>Client: Access to protected resource   Client->>Authorization Server: Request with response_type=token   Authorization Server->>User: Login & Consent   User->>Authorization Server: Confirmation   Authorization Server->>Client: Redirect with #access_token in fragment   Client->>Resource Server: Request with Access Token   Resource Server->>Client: Protected Data 

In Context

• Typically used with single-page applications (SPA)
• Related to: Authorization Code Flow, Client Credentials Flow
• Example use: JavaScript applications that do not require server-side state management