Implicit FLow - Token
Warning
The Implicit flow was used when the client secret cannot be kept confidential. However, the more secure way is performing the the PKCE Flow.
sequenceDiagram
participant Client
participant AuthServer as Authorization Server
Client->>AuthServer: Token Request (with Client Credentials)
AuthServer->>AuthServer: Validate Client Credentials
AuthServer-->>Client: Access Token
The token flow redirects the user with access_token
as an URL fragment (after a #
for example: https://yourcallbackurl.com/oauth/callback#access_token=56a4sf654ewaa65f1a5w1ef6a5we4tt&token_type=Bearer&expires_in=7200&state=116516516557156a465d4saf654654f56
) which can directly be used by the partner application to request the userinfo endpoint.