Implicit Grant Type

This lesson introduces another type of OAuth flow called Implicit grant flow.

The Implicit grant type is designed for single-page JavaScript apps that do not have a backend. In the previous lesson, we discussed the Authorization Code grant flow, in which the client app used the client_secret and authorization code to get the access code.

The problem with JavaScript apps (without a backend) is that they have no way to store client secrets. Storing the client secret in the JavaScript code is not as safe, because anyone can access it. Therefore, we use the Implicit flow for these apps. In Implicit flow, the authorization server directly returns the access token instead of returning the code.

This flow type should be used only if there is no alternative option because it is not safe. The exchange of token happens at the front end and an attacker can access the token.

Get hands-on with 1400+ tech skills courses.