Skip to main content

Implicit Flow

The Implicit Flow in OpenID Connect (OIDC) is designed for client-side applications, such as single-page applications (SPAs), where tokens are directly returned via the redirect URI. This flow eliminates the need for a client secret, simplifying authentication for browser-based apps. However, it is less secure than other flows, as refresh tokens are not supported, and access tokens have a short lifespan. While it provides a straightforward authentication mechanism, it should be used cautiously, especially for applications requiring long-term user sessions. More secure alternatives, like the Authorization Code Flow with PKCE, are now recommended."

Key Characteristics

  • Tokens are returned directly to the user agent via the redirect URI.
  • No backend server is required for token exchange.
  • Limited to short-lived sessions due to security concerns.

Steps to Implement Implicit Flow

  1. Initiate Authorization Request Redirect the user to the authorization endpoint:
https://<siteurl>/service/oidc/{OIDCAppName}/authorize?client_id={OIDC Client ID}&redirect_uri={Callback URL}&scope=openid&response_type={response_type}&state={random string}&nonce={unique nonce}
  • Query Parameters:
    • client_id: OIDC client ID.
    • redirect_uri: The URL to which users are redirected after login.
    • response_type: Can be token, id_token, or token id_token.
    • state: A random string to prevent CSRF attacks.
    • scope: Must include openid, with additional scopes as needed.
    • nonce: A unique value for replay protection.

  1. Receive Tokens Depending on the response_type; tokens are returned in the redirection URI:

    • response_type=token:
REDIRECT_URI?token={access_token}&state={state}
  • response_type=id_token:
REDIRECT_URI?id_token={JWT token}&state={state}
  • response_type=token id_token:
REDIRECT_URI?token={access_token}&id_token={JWT token}&state={state}

The Implicit Flow in OIDC provides a simple, direct way to authenticate users for public clients. While it is easier to implement, its lack of support for refresh tokens and security concerns makes it less suitable for long-term sessions. Consider using other flows like Authorization Code Flow with PKCE for more secure and scalable authentication.