The oauth_implicit_grant feature implements the Implicit grant flow. WARNING: its usage is not recommended.
Applications which need to expose access tokens directly to the frontend, despite the several security implications.
plugin :rodauth do
enable :oauth_implicit_grant
end
In order to enable the implicit grant flow, you’ll have to tweak a parameter to the Authorization form URL:
response_type: must be set to token;Example: https://oauth-server.com/authorize?client_id=23uhu23d89u3298du21j38q&redirect_uri=https%3A%2F%2Fclient.com%2Fcallback&scope=bricks.build+bricks.destroy&state=23r0rif3j0923j&response_type=token;
The response to a successful authorization request will redirect to the redirect uri, however it’ll use the URI fragment, as per the spec, to pass all the token data:
Example: https://client.com/callback#access_token=23f3d4f2dw432df3232ef&expires_in=3600&token_type=bearer&state=23r0rif3j0923j
It will not generate a refresh token for the sent access token.
Again, consider the security implications before enabling this feature.