OAuth2 Implicit Flow#

The Implicit Flow lets the client fetch access or ID tokens directly from the OAuth API.

implicit-flow

Fetching ID token using implicit flow#

The user agent (browser) access the application, on e.g. https://my.application, and is redirected to the Argus OAuth authorization page, requesting authorization with response type “id_token” and scope “openid”
```
 https://portal.mnemonic.no/spa/oauth/authorize?client_id=021269c5-04c3-4399-a206-32659c489803&redirect_uri=https://my.application/oauth/callback&response_type=id_token&scope=openid
```
If not logged into Argus, the user is redirected to the Argus Login page, and then back to the OAuth authorization page
If the current user is permitted to access the specified client, Argus issues an ID token, and redirects the user back to the redirectURI:
```
 https://my.application/oauth/callback#id_token=ZWlEYWljaGk2Y.... 
```

The client application can decode and verify the ID token, which is signed by Argus IdP. This will contain claims about the user, which the client can trust to authenticate the user, and use information in the claims to determine user permissions or behaviour.

Tip

Fetching ID token is only supported when enabling OpenID connect, using scope “openid”. See OpenID Connect for more details about available claims.

Fetching access token using implicit flow#

Using the same flow as above, with response_type=token, will return an access token directly to the browser.

This is however not recommented for browser clients, as it exposes the access token.