What is the purpose of the implicit grant authorization type in OAuth 2?

by

Here are my thoughts:

The purpose of auth code + token in authorization code flow is that token and client secret will never be exposed to resource owner because they travel server-to-server.

On the other side, implicit grant flow is for clients that are implemented entirely using javascript and are running in resource owner’s browser. You do not need any server side code to use this flow. Then, if everything happens in resource owner’s browser it makes no sense to issue auth code & client secret anymore, because token & client secret will still be shared with resource owner. Including auth code & client secret just makes the flow more complex without adding any more real security.

So the answer on “what has been gained?” is “simplicity”.

More Related Contents:

  1. How is OAuth 2 different from OAuth 1?
  2. How to validate an OAuth 2.0 access token for a resource server?
  3. What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?
  4. Why do access tokens expire?
  5. OAuth 2.0: Benefits and use cases — why?
  6. Difference between OAuth 2.0 “state” and OpenID “nonce” parameter? Why state could not be reused?
  7. JWT (Json Web Token) Audience “aud” versus Client_Id – What’s the difference?
  8. OAuth 2.0 with Google Analytics API v3
  9. gapi.auth.signOut(); not working I’m lost
  10. LinkedIn OAuth2: “Unable to verify access token”
  11. OAuth Authorization vs Authentication
  12. Why Does OAuth v2 Have Both Access and Refresh Tokens?
  13. Can I really not ship open source with Client ID? [closed]
  14. CORS issue while making an Ajax request for oauth2 access token
  15. How to validate Azure AD security token?
  16. Why is there an “Authorization Code” flow in OAuth2 when “Implicit” flow works so well?
  17. What are the main differences between JWT and OAuth authentication?
  18. What is the OAuth 2.0 Bearer Token exactly?
  19. Is there any JSON Web Token (JWT) example in C#?
  20. What is the difference between Google Identity Toolkit, Google OAuth, Firebase Auth and Google+ sign in
  21. Spring OAuth redirect_uri not using https
  22. Sign in with Google temporarily disabled for this app
  23. Disable checkboxes on Google consent screen
  24. What exactly is OAuth (Open Authorization)?
  25. How to change Google consent screen email?
  26. Twitter API – Logout
  27. Refresh token using Omniauth-oauth2 in Rails application
  28. Google API OAuth2, Service Account, “error” : “invalid_grant”
  29. Netsuite OAuth Not Working
  30. Securing my REST API with OAuth while still allowing authentication via third party OAuth providers (using DotNetOpenAuth)

Leave a Comment