what is an implicit grant

Full Answer

What is implicit grant in OAuth?

Implicit Grant is an OAuth 2.0 flow that is used to grant an access token to integrations that are not able to store sensitive data on a secure server, such as those that are native to mobile devices. In the Implicit Grant flow, your integration requests an access token directly.

What is implicit grant flow in Microsoft identity platform?

The Microsoft identity platform supports the OAuth 2.0 Implicit Grant flow as described in the OAuth 2.0 Specification. The defining characteristic of the implicit grant is that tokens (ID tokens or access tokens) are returned directly from the /authorize endpoint instead of the /token endpoint.

What are the disadvantages of the implicit grant type?

The main downside to the Implicit grant type is that the access token is returned in the URL directly, rather than being returned via a trusted back channel like in the Authorization Code flow.

Can I use implicit grant flow without a custom certificate?

Using implicit grant flow without a custom certificate will eventually not be supported. OAuth 2.0 implicit grant flow supports endpoints that a client can call to get an ID token. Two endpoints are used for this purpose: authorize and token. The URL for authorize endpoint is: <portal_url>/_services/auth/authorize.

What is implicit grant type?

The Implicit Grant Type is a way for a single-page JavaScript app to get an access token without an intermediate code exchange step. It was originally created for use by JavaScript apps (which don’t have a way to safely store secrets) but is only recommended in specific situations.

Why use implicit flow?

The one remaining reason to use the Implicit flow is if the authorization server doesn’t or can’t support cross-origin requests (CORS). The Authorization Code grant requires that the JavaScript app make a POST request to the authorization server, so the authorization server will need to support the appropriate CORS headers in order to allow the browser to make that request. This is a relatively easy change to make if you’re building your own authorization server, but if you are using an existing server then you may be stuck using the Implicit grant to get around the CORS limitation.

What is an OAuth 2.0 Grant Type?

In OAuth 2.0, the term “grant type” refers to the way an application gets an access token. OAuth 2.0 defines several grant types, including the authorization code flow. OAuth 2.0 extensions can also define new grant types.

Why does implicit flow use fragments?

One of the historical reasons that the Implicit flow used the URL fragment is that browsers could manipulate the fragment part of the URL without triggering a page reload. However, the History API now means that browsers can update the full path and query string of the URL without a page reload, so this is no longer an advantage of the Implicit flow.

Can you use an implicit grant in JavaScript?

In general, there are extremely limited circumstances in which it makes sense to use the Implicit grant type. The Implicit grant type was created for JavaScript apps while trying to also be easier to use than the Authorization Code grant. In practice, any benefit gained from the initial simplicity is lost in the other factors required to make this flow secure. When possible, JavaScript apps should use the Authorization Code grant without the client secret. However, the Okta Authorization Code grant requires the client secret, so we’ve taken a different approach noted below.

Does OAuth use implicit flow?

At this point most OAuth implementations do not use the Implicit flow. But like I said in the post, there are a couple cases where it still makes sense to use it. One is if the authorization server doesn't support the necessary CORS headers, since the Authorization Code flow requires that a request is made from arbitrary origins. The other is when used in conjunction with OpenID Connect, since the security considerations for ID tokens are very different from access tokens.

What is implicit grant?

Implicit Grant is an OAuth 2.0 flow that is used to grant an access token to integrations that are not able to store sensitive data on a secure server, such as those that are native to mobile devices.

Why is implicit grant less secure?

This is potentially less secure because the access token must be stored on the user’s device, but it does not require that the integration have access to a web server. You should use Implicit Grant to authenticate only if your app is not able to use a web server to secure the access token.

What is implicit flow?

The Implicit flow was a simplified OAuth flow previously recommended for native apps and JavaScript apps where the access token was returned immediately without an extra authorization code exchange step.

Why is implicit flow not recommended?

It is not recommended to use the implicit flow (and some servers prohibit this flow entirely) due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.

Flow

The client will redirect the user to the authorization server with the following parameters in the query string:

Setup

Wherever you initialize your objects, initialize a new instance of the authorization server and bind the storage interfaces and authorization code grant:

Implementation

Please note: These examples here demonstrate usage with the Slim Framework; Slim is not a requirement to use this library, you just need something that generates PSR7-compatible HTTP requests and responses.

Deprecation Notice

To follow the latest OAuth 2.0 best practices, Login With Amazon no longer supports Implicit Grant for any new Security Profiles. All new integrations must use the Authorization Code grant. Existing Security Profiles using Implicit Grant will continue to work till April 30, 2021.

Authorization Request

To request authorization, the client (website) must redirect the user-agent (browser) to make a secure HTTP call to https://www.amazon.com/ap/oa with the following parameters:

Authorization Response

After the client (website) directs the user-agent (browser) to make an Authorization Request, the authorization service will redirect the user-agent to a URI specified by the client. If the user granted the request for access, that URI will contain an access_token as a URI fragment. For example:

Authorization Errors

If the user did not grant the request for access, or an error occurs, the authorization service will redirect the user-agent (a user's browser) to a URI specified by the client. That URI will contain error parameters detailing the error. For example:

Verify Access Tokens

After you receive an access token using the implicit grant , it is highly recommended that you verify the authenticity of the access token before you retrieve a customer profile using that token.

What is implicit grant type?

The Implicit Grant Type is a way for a single-page JavaScript app to get an access token without an intermediate code exchange step. It was originally created for use by JavaScript apps (which don’t have a way to safely store secrets) but is only recommended in specific situations.

Why use implicit flow?

The one remaining reason to use the Implicit flow is if the authorization server doesn’t or can’t support cross-origin requests (CORS). The Authorization Code grant requires that the JavaScript app make a POST request to the authorization server, so the authorization server will need to support the appropriate CORS headers in order to allow the browser to make that request. This is a relatively easy change to make if you’re building your own authorization server, but if you are using an existing server then you may be stuck using the Implicit grant to get around the CORS limitation.

What is an OAuth 2.0 Grant Type?

In OAuth 2.0, the term “grant type” refers to the way an application gets an access token. OAuth 2.0 defines several grant types, including the authorization code flow. OAuth 2.0 extensions can also define new grant types.

Why does implicit flow use fragments?

One of the historical reasons that the Implicit flow used the URL fragment is that browsers could manipulate the fragment part of the URL without triggering a page reload. However, the History API now means that browsers can update the full path and query string of the URL without a page reload, so this is no longer an advantage of the Implicit flow.

Can you use an implicit grant in JavaScript?

In general, there are extremely limited circumstances in which it makes sense to use the Implicit grant type. The Implicit grant type was created for JavaScript apps while trying to also be easier to use than the Authorization Code grant. In practice, any benefit gained from the initial simplicity is lost in the other factors required to make this flow secure. When possible, JavaScript apps should use the Authorization Code grant without the client secret. However, the Okta Authorization Code grant requires the client secret, so we’ve taken a different approach noted below.

What is implicit flow?

The Implicit flow skips this client authentication step altogether and just loads up a web page with client script. There's a cute trick here with the URL fragment that keeps the access token from being passed around too much, but the end result is essentially the same: the client-hosted site serves up a page with some script in it that can grab the access token.

How does authorization code grant work?

The Authorization Code grant provides additional security , but it only works when you have a web server requesting the protected resources. Since the web server can store the access token, you run less risk of the access token being exposed to the Internet, and you can issue a token that lasts a long time.

Why is client secret not a secret?

The client secret isn't a secret if it needs to be enumerated within client-side code, and it would therefore be exposed to the internet. If your client ID is only used in implicit flows, this isn't a problem. But if it's also used elsewhere in your platform for refresh token or authorization code grants, then having the corresponding secret exposed is a big problem.

Is a decoupled user agent and client the Authorization Code Grantmakes sense?

In the case of decoupled user-agent and client the Authorization Code Grantmakes sense. E.g. the user uses a web-browser (user-agent) to login with his Facebook account on Kickstarter. In this case the client is one of the Kickstarter's servers, which handles the user logins. This server gets the access token and the refresh token from Facebook. Thus this type of client considered to be "secure", due to restricted access, the tokens can be saved and Kickstarter can access the users' resources and even refresh the access tokens without user interaction.

Is implicit grant easier to implement?

The usual explanation is that the Implicit grant is easier to implement when you're using a JavaScript client. But I think this is the wrong way to look at it. If you're using a JavaScript client that requests protected resources directly via XMLHttpRequest, the Implicit grant is your only option, although it's less secure.*

Deprecation Notice

Deprecation FAQs

Authorization Request

Authorization Response

Authorization Errors

Verify Access Tokens

• After you receive an access token using the implicit grant, it is highly recommended that you verify the authenticity of the access token before you retrieve a customer profile using that token. If a malicious site can induce a user to login, they can take the valid access token they receive and use it to mimic an authorization response to your sit...

See more on developer.amazon.com