OAuth 2.0 Implicit Flow
The Implicit Flow is a simplified version of the Authorization Code flow. Instead of exchanging an authorization code for an access token, the access token is returned directly upon user authentication.
This flow is recommended for:
- Single-Page Applications (SPA) run in environments where the confidentiality of a client's secret cannot be guaranteed (e.g., public browsers).
- Older browsers without support for Web Crypto (and PKCE).
Key Features:
- Does not support refresh tokens, as it is designed for less-trusted clients.
- Directly issues an access token for immediate use.
Implementation Steps
Step 1: Obtain Authorization (Open Login Dialog)
To initiate the Implicit Flow, redirect the user to the authorization endpoint.
API Endpoint:
https://<siteurl>/service/oauth/{OauthAppName}/authorize?client_id={OAuth Client ID}&redirect_uri={Callback URL}&scope={Scope}&response_type=token&state={random long string}
- API Method: GET
Query Parameters:
| Parameter | Requirement | Description |
|---|---|---|
client_id | Required | OAuth Client ID |
redirect_uri | Required | Callback URL to redirect users after authentication (e.g., https://example.com/callback). |
scope | Optional | Scopes defining access permissions (e.g., openid). |
state | Optional | A random string returned unchanged as part of the response to maintain state. |
response_type | Required | It must be a token or code,token depending on the desired response. |
Response Structures:
- If
response_type=token:
Upon successful authentication, the user is redirected to your callback URL with the following:
YOUR_CALLBACK_URI?token={LoginRadius access token}&state={state}
- If
response_type=code,token:
The response includes both an authorization code and an access token:
YOUR_CALLBACK_URI?code={authorization code}&token={LoginRadius access token}&state={state}
Example Authorization Request:
GET https://<siteurl>/service/oauth/{OauthAppName}/authorize
?client_id=your_client_id
&redirect_uri=https://your_callback_url
&response_type=token
&scope=openid
&state=random_string
Notes:
- Ensure the
redirect_uriis whitelisted in your LoginRadius Admin Console. - To explore additional query parameters supported by LoginRadius, refer here.
Step 2: Use the Access Token
Once you receive the access_token, use it with LoginRadius APIs that support access tokens.
Summary
The Implicit Flow simplifies the OAuth 2.0 process by directly providing an access token after user authentication.
- Suitable for public-facing applications (e.g., SPAs or mobile apps).
- Does not require a client secret, making it ideal for less-trusted environments.
By following these steps, you’ve successfully implemented the Implicit Flow for your application.