Implicit grant flow quick start

If you are building a single-page application (SPA), you may want to use the implicit grant flow to control access between your SPA and a resource server. This quick start procedure will help you start using the implicit flow as soon as possible.

Before you begin

  1. Configure OAuth scopes for resource and methods in your registered API. See Configure OAuth 2.0 scopes.
  2. Register at least one identity provider to authenticate resource owners. See Register an identity provider.
  3. Set up your app in OAuth Management in Control Center. See Register a client app.

How to

Start the implicit flow by navigating the user agent to the URL that follows this pattern:<client-id>&scope=<scope-1>%20<scope-2>&response_type=token&redirect_uri=<redirect-uri>&state=<your-xsrf-token>
Note the parameters in the request:
The client identifier of the app that you registered in OAuth Management.
The scopes that you configured in API Definitions.
Information for the Authorization Server to initiate a specific grant flow. For the implicit grant flow, its value is token.
The location where the Authorization Server sends the user agent after the user approves the request. It must match the Redirect URIs of the client app that you configured before.
An XSRF token reproduced by the Authorization Server when redirecting the user agent back to the client. It is an arbitrary alphanumeric used to help prevent cross-site request forgery.

What you should see

If the user agent approves the request, the Authorization Server redirects the client app back to the redirect_uri specified by the app, adding an access_token and state to the URL.

The user agent will be redirected to an URL that follows this pattern: