This documentation is for WSO2 API Manager 2.1.0. View documentation for the latest release.

All docs This doc
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Implicit grant type is recommended to use to obtain access tokens  if your application (client) is a mobile application or a browser based app such as a JavaScript client.  Like in Authorization code Grant, implicit Grant type is also based in redirection flow but the redirection URI includes the access token in the URI fragment. Because of that, the client application is capable of interacting with the resource owner user agent to obtain the access token from the redirection URI which is sent from the authorization server.

The implicit grant type does not require client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. The resource owner needs to authenticate with the authorization server to obtain the access token. Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other applications residing in the same device.

The diagram below depicts the flow of Implicit Grant.

  1. The client requests for the access token with the client ID and grant type with optional parameters.

  2. Since the resource owner authenticates directly with the authorization server, his/her credentials will not be shared with the client.

  3. The Authorization Server sends the Access token in URI fragment to the client.

  4. Client extract the token from the fragment and send the API request to the Resource Server with the access token.

With this grant, the refresh token will not be issued for the client as the client type is public. Also note that, the implicit grant does not include client authentication because it does not make use of client secret.

Invoking the Token API to generate tokens  

In his example we are using WSO2 Playground hosted as a web application to obtain the access token with implicit grant.

  1. Setup WSO2 Playground sample webapp in a Application server. You can use WSO2 Identity Server and setup the application following Setting Up the Sample Webapp.
  2. Login to WSO2 API Manager store and create an application as below.

  • No labels