Implicit Grant

The oauth_implicit_grant feature implements the Implicit grant flow. WARNING: its usage is not recommended.

Who is it for

Applications which need to expose access tokens directly to the frontend, despite the several security implications.

How to enable it

plugin :rodauth do
  enable :oauth_implicit_grant
end

Authorization form

GET /authorize

In order to enable the implicit grant flow, you’ll have to tweak a parameter to the Authorization form URL:

  • response_type: must be set to token;

Example: https://oauth-server.com/authorize?client_id=23uhu23d89u3298du21j38q&redirect_uri=https%3A%2F%2Fclient.com%2Fcallback&scope=bricks.build+bricks.destroy&state=23r0rif3j0923j&response_type=token;

POST /authorize

The response to a successful authorization request will redirect to the redirect uri, however it’ll use the URI fragment, as per the spec, to pass all the token data:

Example: https://client.com/callback#access_token=23f3d4f2dw432df3232ef&expires_in=3600&token_type=bearer&state=23r0rif3j0923j

It will not generate a refresh token for the sent access token.

Again, consider the security implications before enabling this feature.

Home