This is commonly used in mobile and web applications, and also works based on redirection. The following diagram explains the implicit code grant type flow:

The steps in the preceding diagram are explained in detail here:

1. The resource owner is presented with a screen (browser) to authorize the request. Here is an example authorization link: https://<DOMAIN>/oauth/authorize?response_type=token&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=<SCOPE>.

It is important to note that the response_type specified in the previous link is token. This indicates the server should give the Access Token (this is one of the main differences from the authorization code flow grant type discussed in the previous section).

2. If the resource owner (user) allows this, they click on the authorize link, which is sent to the authorization server.
3. The user-agent (browser or mobile app) receives the Access Token in the CALLBACK_URL specified (https://<CALLBACK_URL>#token=<ACCESS_TOKEN>).
4. The user-agent goes to the specified CALLBACK_URL, retaining the Access Token.
5. The client application opens the web page (using any mechanism), which extracts the Access Token from the CALLBACK_URL.
6. The client application now has access to the Access Token.
7. The client application calls the secured API using the Access Token.