Skip to main content

Implicit

The Implicit grant type is an alternative to the Authorization Code grant.  It is similar to Authorization Code with a couple of notable differences:

  • It is intended for browser or mobile apps that cannot keep client secrets because all of the application code and storage is easily accessible (for example, single-page web apps).
  • The authorization server returns the access token directly, instead of a code that is exchanged for a token.
  • Refresh tokens are not supported.

The following diagram illustrates this flow:

OAuth 2.0 Implicit flow

  1. The application initiates authorization by sending a request to the marketplace's authorization endpoint.

    Sample request:

    https://marketplace.example.com/oauth2/authorize?response_type=token&client_id=appdirect-49&scope=ROLE_USER%20ROLE_BILLING_ADMIN&state=bf0jksdldqj&redirect_uri=https%3A%2F%2Fwww.example.com%2Foauth2%2Freturn
    ParameterDescription
    response_typeMust be token, which indicates that this is the Implicit grant type.
    client_idYour API client ID.
    scopeA space-separated list of requested scopes.
    redirect_uriEndpoint where the marketplace will redirect the user to with the authorization code. It must match the return URL registered with your API client.
    state (optional)An opaque value used by your application to maintain state. The marketplace includes this value when redirecting to the redirect_uri. See the OAuth 2.0 specification for details on how to use this to prevent cross-site request forgery.

  2. The user is authenticated with the marketplace.

  3. An access token is returned in a URI fragment to the redirect_uri passed in step 1.

    note

    This URI must also be registered within your client configuration.

    The state parameter is also returned untouched. 

    Sample request:

    https://www.example.com/oauth2/return#access_token=7iVGxe84f1ew6QENpCD3

  4. Call an AppDirect API and include the access token in the Authorization header as a bearer token.

    Sample request:

    curl -H 'Authorization: Bearer 7iVGxe84f1ew6QENpCD3' "http://marketplace.example.com/api/account/v2/subscriptions/6c31d072-8480-11e3-b2f4-22000ae812a4/assignments"

  5. Receive the API response.

Was this page helpful?

Tell us more…

Help us improve our content. Responses are anonymous.

Thanks

We appreciate your feedback!