Skip to content

Implicit FLow - Token


The Implicit flow was used when the client secret cannot be kept confidential. However, the more secure way is performing the the PKCE Flow.

    participant Client
    participant AuthServer as Authorization Server

    Client->>AuthServer: Token Request (with Client Credentials)
    AuthServer->>AuthServer: Validate Client Credentials
    AuthServer-->>Client: Access Token

The token flow redirects the user with access_token as an URL fragment (after a # for example: which can directly be used by the partner application to request the userinfo endpoint.