Skip to content

Implicit Flow - ID Token


The Implicit flow was used when the client secret cannot be kept confidential. However, the more secure way is performing the PKCE Flow.

How it works

    participant Client
    participant AuthServer as Authentication Server
    participant User

    Client->>AuthServer: Authentication Request
    AuthServer->>User: User Login
    User->>AuthServer: Consent
    AuthServer->>User: Verify User
    AuthServer->>AuthServer: Generate ID Token
    AuthServer-->>Client: Authentication Response (ID Token)
    Client->>AuthServer: ID Token Validation Request
    AuthServer->>AuthServer: Validate ID Token
    AuthServer-->>Client: ID Token Validation Response
When using response_type=id_token Unidy redirects the user with a jwt token parameter to the partner application. This jwt token already contains the userdata.


To decode the JWT you must decode each part of the JWT token with base64 decode. To get each part split the token at ".". This is normally done by all the libraries out there for you.