Unlike client credentials flow, which is only recommended to be used in server-to-server communication, implicit flow is a highly secured flow that can be used for public clients. Implicit flow does not provide client authentication, as public clients cannot store the client ID and client secret on the public client itself:
- Process starts when the client (for example, MVC app) redirects the resource owner's user agent (browser) to the authorization endpoint.
- The client passes its client credentials (client ID and secret), scope, state, and redirection URI to the authorization server.
- If the client is authorized, the authorization server will ask the resource owner to enter the resource owner credentials.
- Authorization authenticates the resource owner via the user agent and establishes whether the resource owner grants or denies access to the client.
- If the resource owner grants the permission to the client, the authorization server redirects the user back to the client through the redirection URI provided earlier and passes the access token in a URI fragment.
- The user agent then makes the request to the web-hosted client resource without passing the fragment information.
- Once the request is received by the web-hosted client resource, it will return the web page, typically an HTML document containing an embedded JavaScript that runs on the user agent, to extract the access token from the URI fragment.
- Once the access token is extracted, it can be used for subsequent requests.
With this type of flow, the token is known by the user agent and the user agent can pass the token directly to the resource server to access the resource.