oauth tutorial - OAuth Implicit Requests and Responses - oauth2 tutorial - oauth authentication
What are implicit requests and responses in OAuth 2.0?
- The implicit grant type is used to obtain access tokens and is optimized for public clients known to operate a particular redirection URI.
- The implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI
- The implicit grant consists of only one request and one response.
Implicit Grant Request
- The implicit grant request type makes separate requests for authorization and for an access token, the client receives the access token as the result of the authorization request.
- Hence ,the implicit grant request contains the following parameters which is given below:
|response_type||Required. Must be set to token.|
|client_id||Required. The client identifier as assigned by the authorization server, when the client was registered.|
|redirect_uri||Optional. The redirect URI registered by the client.|
|scope||Optional. The possible scope of the request.|
|state||Optional (recommended). Any client state that needs to be passed on to the client request URI.|
Implicit Grant Response
- The implicit grant response is similar to the authorization code grant with two distinct differences.
- The Implicit Grant response is an OAuth 2.0 flow that client-side apps use in order to access an API.
- The implicit grant response contains the following parameters which is given below
|access_token||Required. The access token assigned by the authorization server.|
|token_type||Required. The type of the token|
|expires_in||Recommended. A number of seconds after which the access token expires.|
|scope||Optional. The scope of the access token.|
|state||Required, if present in the autorization request. Must be same value as stateparameter in request.|
Implicit Grant Error Response
- If an error occurs during authorization, two situations can occur.
- The first is that the client is not authenticated or is not recognized.
- The authorization server must not redirect the resource owner to the redirect URI.
- It should inform the resource owner of the error.
- The second situation is that client is okay, but that some other has occurred
- If there is the case, the following error response is sent to the client, which is included in the redirect URI:
|error||Required. Must be one of a set of predefined error codes. See the specification for the codes and their meaning.|
|error_description||Optional. A human-readable UTF-8 encoded text describing the error. Intended for a developer, not an end user.|
|error_uri||Optional. A URI pointing to a human-readable web page with information about the error.|
|state||Required, if present in authorization request. The same value as sent in the state parameter in the request.|