Overview

The Implicit Flow is designed for single-page applications (SPAs) and other public clients (pure JavaScript front-end applications) that cannot securely store a client secret. In this flow, the access token is directly returned in the URL fragment after user authorization. No Authorization Code involved in the flow.

Steps

1. A user tries to access the application (the client).
2. The client sends an authorization request to the authorize endpoint. (The client must inform Cloudentity of its desired grant type by using the response_type parameter. For the implicit grant flow type, the value of the response_type parameter must be token.)

curl --location \
--get \
--url "https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/authorize" \
--data-urlencode "response_type=token" \
--data-urlencode "client_id=$CLIENT_ID"
            

3. Cloudentity displays a consent screen for the user.
4. The user gives their consent.
5. Cloudentity returns the token embedded in the redirection URI.
6. The client requests protected resources from the resource server and presents the token it received in the previous step.
7. The resource server validates the token and responds with requested resources.

Use Case

Single-page applications (SPAs): This flow is suitable when immediate access to the token is required, and there's no server-side component to handle the token exchange.